Description
RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The `get_user()` method in `ParticipationAdmin` renders user-controlled input using `mark_safe` combined with Python's % string formatting. This bypasses Django\'s automatic HTML escaping entirely. The value returned by `get_full_name` is derived directly from the `first_name` and `last_name` fields of the User model. These fields are freely editable by any authenticated user through the profile page (`/profile/`) with no sanitization applied. When an admin views the Participation list in the Django admin panel, the unsanitized value is rendered directly into the HTML response, causing the injected script to execute in the admin's browser. Commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 fixes the issue.
Published: 2026-05-27
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in RELATE arises from the ParticipationAdmin.get_user() method rendering user supplied first and last names with Django's mark_safe and string formatting, bypassing all HTML escaping. Because any authenticated, enrolled student can freely edit these fields through their profile page, an attacker can store malicious JavaScript. When an administrator opens the Participation list, the stored payload executes in the administrator’s browser, giving the attacker full control of the admin account. This stored cross‑site scripting flaw is identified as CWE‑79 and can compromise both confidentiality and integrity of the courseware system.

Affected Systems

All RELATE deployments that run the codebase prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 are affected. The vendor is inducer:relate and the product is the RELATE web‑based courseware. Upgrading to the referenced commit or any newer release that incorporates the change removes the vulnerability.

Risk and Exploitability

The CVSS score of 8.7 signals very high severity, and the flaw enables an attacker with ordinary user privileges to achieve a full admin takeover. No public exploitation is currently catalogued in KEV and the EPSS score is not available, yet the attack path is straightforward: an enrolled user modifies their profile name, the data is stored, and an admin viewing the participation list triggers the script. Until the patch is applied, the risk remains high for any instance of RELATE that has not yet updated to the fixed commit.

Generated by OpenCVE AI on May 27, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update RELATE to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 or a later release that contains the fix
  • Confirm that the first_name and last_name fields are no longer rendered using mark_safe and that any rendering applies proper HTML escaping
  • Implement stronger input validation or sanitization on user profile fields, restricting them to safe characters or escaping all user input before storage

Generated by OpenCVE AI on May 27, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The `get_user()` method in `ParticipationAdmin` renders user-controlled input using `mark_safe` combined with Python's % string formatting. This bypasses Django\'s automatic HTML escaping entirely. The value returned by `get_full_name` is derived directly from the `first_name` and `last_name` fields of the User model. These fields are freely editable by any authenticated user through the profile page (`/profile/`) with no sanitization applied. When an admin views the Participation list in the Django admin panel, the unsanitized value is rendered directly into the HTML response, causing the injected script to execute in the admin's browser. Commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 fixes the issue.
Title RELATE Vulnerable to Stored XSS via Unprivileged User Profile
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:30:27.258Z

Reserved: 2026-04-25T05:04:37.026Z

Link: CVE-2026-42197

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T20:16:36.260

Modified: 2026-05-27T20:16:36.260

Link: CVE-2026-42197

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:00:14Z

Weaknesses