Description
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tricking victims into visiting them. This issue has been patched in version 4.2.
Published: 2026-02-03
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting affecting authenticated users
Action: Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in the Open eClass platform in all releases prior to version 4.2. The flaw permits a remote attacker to craft a malicious URL that includes arbitrary JavaScript, which executes when an authenticated user follows the link. This capability is a classic CWE‑79 weakness because user‑controlled input is reflected without proper output encoding.

Affected Systems

The vulnerability applies to the gunet Open eClass platform, all versions older than 4.2. Any user running a pre‑4.2 build faces the risk of the reflected XSS flaw when exposed to malicious URLs.

Risk and Exploitability

The CVSS base score of 4.7 indicates a moderate risk level, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The issue is not listed in the CISA KEV catalog. The likely attack vector is indirect remote: an attacker must entice an authenticated user into clicking a crafted link. An effective fix is available in version 4.2, making upgrade the most straightforward mitigation.

Generated by OpenCVE AI on April 18, 2026 at 14:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open eClass to version 4.2 or newer to eliminate the reflected XSS flaw.
  • If an upgrade cannot be performed immediately, restrict access to the vulnerable endpoints and enforce strict input sanitization to prevent script execution.
  • Deploy a web application firewall or configure a Content Security Policy that blocks inline scripts, thereby limiting the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 18, 2026 at 14:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Gunet
Gunet open Eclass Platform
CPEs cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*
Vendors & Products Gunet
Gunet open Eclass Platform

Wed, 04 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Openeclass
Openeclass openeclass
Vendors & Products Openeclass
Openeclass openeclass

Tue, 03 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tricking victims into visiting them. This issue has been patched in version 4.2.
Title Open eClass is Vulnerable to Reflected Cross-Site Scripting (XSS) in Multiple Endpoints
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Gunet Open Eclass Platform
Openeclass Openeclass
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:52:19.445Z

Reserved: 2026-01-23T20:40:23.388Z

Link: CVE-2026-24674

cve-icon Vulnrichment

Updated: 2026-02-04T15:46:35.479Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T18:16:24.173

Modified: 2026-02-10T17:26:57.113

Link: CVE-2026-24674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses