The Open eClass platform, previously known as GUnet eClass, is a comprehensive course management system widely used in educational environments. CVE-2026-24672 identifies a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, which affects versions prior to 4.2. This vulnerability allows authenticated students to inject malicious JavaScript code into user profile fields. When users with the appropriate viewing privileges access these compromised profile pages, the injected scripts execute in their browsers. The vulnerability arises from improper neutralization of input during web page generation, meaning that user-supplied data is not correctly sanitized or encoded before being rendered. The CVSS v3.1 score of 7.3 reflects a high severity, with an attack vector of network, low attack complexity, requiring privileges (authenticated user), and user interaction (viewing the malicious profile). The impact includes high confidentiality and integrity risks, such as session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. Availability is not affected. Although no known exploits are reported in the wild, the vulnerability poses a significant risk to educational institutions relying on vulnerable Open eClass versions. The issue has been addressed in version 4.2, which includes patches to properly sanitize and encode user inputs in profile fields, preventing script injection.

For European organizations, particularly educational institutions using Open eClass, this vulnerability can lead to significant data breaches and unauthorized access to sensitive information. Attackers exploiting this XSS flaw can hijack user sessions, steal credentials, or perform actions impersonating legitimate users, undermining the integrity of the learning management system. This can result in unauthorized access to course materials, student records, and potentially administrative functions. The confidentiality of personal data is at risk, which may lead to violations of GDPR regulations, resulting in legal and financial repercussions. While availability is not directly impacted, the trust and operational stability of the platform can be compromised, affecting the educational process. The requirement for authenticated access limits the attack surface but does not eliminate risk, as students typically have legitimate access. The vulnerability's presence in widely used versions prior to 4.2 means that institutions that have not updated are vulnerable. Given the increasing reliance on digital education platforms in Europe, the potential impact is substantial.

1. Immediate upgrade of all Open eClass installations to version 4.2 or later, where the vulnerability is patched. 2. Implement strict input validation and output encoding on all user profile fields to prevent injection of malicious scripts. 3. Conduct regular security audits and code reviews focusing on input handling and sanitization in web applications. 4. Educate users and administrators about the risks of XSS and encourage cautious behavior when interacting with user-generated content. 5. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 6. Monitor logs and user activities for unusual behavior that may indicate exploitation attempts. 7. Restrict profile editing permissions to trusted users where possible to reduce the risk of malicious input. 8. Ensure that multi-factor authentication is enabled to mitigate the impact of credential theft. 9. Maintain an incident response plan specifically addressing web application attacks like XSS. 10. Engage with the Open eClass community or vendor for timely updates and security advisories.