CVE-2025-67734 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Frappe Learning Management System (LMS) prior to version 2.42.0. The vulnerability arises from improper neutralization of input during web page generation, specifically in the Company Website field of the Job Form. Authenticated attackers can inject arbitrary JavaScript code into this field, which is then rendered unsanitized in job postings viewed by other users. When a user opens a malicious job posting, the injected script executes in their browser context, potentially allowing attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. The vulnerability does not require user interaction beyond viewing the affected page but does require the attacker to have authenticated access to submit the malicious input. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed (viewing the page). The vulnerability impacts confidentiality and integrity with limited scope and no impact on availability. No known exploits have been reported in the wild as of the publication date. The issue was addressed in Frappe LMS version 2.42.0 by properly sanitizing input fields to prevent script injection.

For European organizations, this vulnerability poses a risk primarily to educational institutions, corporate training departments, and any entities using Frappe LMS to manage learning content and job postings. Exploitation could lead to session hijacking, unauthorized actions performed under user credentials, or phishing via script injection, compromising user data confidentiality and system integrity. While the vulnerability requires authenticated access, insider threats or compromised accounts could be leveraged to inject malicious scripts. The impact is heightened in environments where sensitive personal or organizational data is accessible through the LMS. Additionally, compromised user trust and potential regulatory compliance issues under GDPR may arise if user data is exposed or manipulated. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. Organizations relying on Frappe LMS should consider this vulnerability a moderate risk that warrants timely remediation to prevent potential exploitation.

1. Upgrade Frappe LMS to version 2.42.0 or later, where the vulnerability is fixed. 2. Implement strict input validation and sanitization on all user-supplied data fields, especially those rendered in web pages, to prevent script injection. 3. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4. Limit the number of users with permissions to create or edit job postings to reduce the attack surface. 5. Monitor LMS logs for unusual activities or attempts to inject scripts. 6. Educate users and administrators about the risks of XSS and encourage reporting of suspicious content. 7. Employ web application firewalls (WAF) with rules to detect and block XSS payloads targeting the LMS. 8. Regularly audit and review LMS configurations and user permissions to ensure least privilege principles are enforced.