CVE-2025-15134 identifies a cross-site scripting (XSS) vulnerability in the yourmaileyes MOOC platform, specifically affecting all versions from 1.0 through 1.17. The vulnerability resides in the subreview function within the Submission Handler component, implemented in the file mooc/controller/MainController.java. The issue arises because the 'review' parameter is improperly sanitized or validated, allowing an attacker to inject malicious JavaScript code. This flaw enables remote attackers to craft specially crafted requests that, when processed by the vulnerable function, execute arbitrary scripts in the context of the victim's browser. The attack vector requires no authentication but does require user interaction, such as clicking a malicious link or submitting crafted input. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and limited impact on integrity and availability. The vulnerability was responsibly disclosed to the yourmaileyes project, but no patch or official response has been issued as of the publication date. Public exploit code has been released, increasing the risk of exploitation. The vulnerability primarily threatens confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed in the context of authenticated users. Because the flaw is in a MOOC platform, it could affect educational institutions and organizations relying on yourmaileyes MOOC for online learning and submissions.

For European organizations, this XSS vulnerability poses significant risks, especially for educational institutions, training providers, and enterprises using yourmaileyes MOOC for managing coursework and submissions. Exploitation could lead to theft of user credentials, session hijacking, unauthorized access to sensitive educational data, and manipulation or defacement of course content. This could damage institutional reputation, violate data protection regulations such as GDPR, and disrupt learning activities. Additionally, attackers could leverage the XSS flaw as a pivot point for further attacks within the organization's network. The public availability of exploit code increases the likelihood of opportunistic attacks, particularly targeting less security-aware users. The lack of vendor response and patch availability prolongs exposure, necessitating immediate mitigation efforts by affected organizations.

Since no official patch is currently available, European organizations should implement the following mitigations: 1) Employ web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'review' parameter in the subreview function. 2) Enforce strict input validation and output encoding on all user-supplied data, especially the 'review' argument, to neutralize script injection attempts. 3) Educate users to avoid clicking suspicious links or submitting untrusted input related to the MOOC platform. 4) Monitor web server logs and application behavior for unusual requests or error patterns indicative of exploitation attempts. 5) Isolate the MOOC platform within a segmented network zone to limit lateral movement if compromise occurs. 6) Consider temporary disabling or restricting the vulnerable functionality if feasible until a patch is released. 7) Engage with the vendor or community to track patch developments and apply updates promptly once available. 8) Implement Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources.