CVE-2025-65675 is a stored Cross-Site Scripting (XSS) vulnerability identified in Classroomio LMS version 0.1.13. This vulnerability arises because the application improperly sanitizes SVG files uploaded as profile pictures, allowing authenticated attackers to embed malicious JavaScript code within crafted SVG images. When these images are rendered in the context of the LMS web interface, the malicious script executes in the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the LMS. The attack requires the attacker to be authenticated and to upload a malicious SVG profile picture, which then triggers the stored XSS when viewed by other users or administrators. The CVSS 3.1 score of 5.4 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), user interaction required (UI:R), scope changed (S:C), and limited confidentiality and integrity impacts (C:L/I:L) but no availability impact (A:N). No patches or fixes have been published yet, and no known exploits are reported in the wild, but the vulnerability represents a significant risk in environments where Classroomio LMS is used, especially in educational institutions. The underlying CWE is CWE-79, which is a common and well-understood XSS vulnerability class. The vulnerability's exploitation could allow attackers to execute arbitrary code in users' browsers, leading to data theft or manipulation within the LMS environment.

For European organizations, especially educational institutions and training providers using Classroomio LMS, this vulnerability poses a risk to the confidentiality and integrity of user data and LMS content. Attackers exploiting this vulnerability could hijack sessions of instructors or students, steal sensitive information such as grades or personal data, and potentially manipulate course content or user permissions. While availability is not impacted, the trustworthiness of the LMS platform could be severely undermined, leading to reputational damage and compliance issues under GDPR due to potential data breaches. The requirement for authentication limits the attack surface but does not eliminate risk, as insider threats or compromised accounts could be leveraged. The stored nature of the XSS means that malicious payloads persist and can affect multiple users, increasing the potential impact within organizations. The medium severity score suggests moderate urgency but should not be underestimated given the sensitive nature of LMS environments.

Since no official patch is currently available, European organizations should implement immediate compensating controls. First, restrict or disable SVG file uploads for profile pictures or any user-uploaded content until proper sanitization is ensured. If SVG uploads are necessary, implement robust server-side sanitization libraries specifically designed to remove malicious scripts from SVG files. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. Conduct regular audits of user-uploaded content and monitor logs for suspicious activity related to profile picture uploads and user sessions. Educate users about phishing and social engineering risks associated with session hijacking. Additionally, enforce strong authentication mechanisms and consider multi-factor authentication to reduce the risk of account compromise. Finally, maintain close communication with the Classroomio LMS vendor for timely patch releases and apply updates as soon as they become available.