CVE-2021-47907

Description

Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers of other users viewing the message history, enabling session hijacking and phishing attacks.

PUBLISHED Reserved 2026-01-18 | Published 2026-05-10 | Updated 2026-05-10 | Assigner VulnCheck

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Credits

Vulnerability-Lab finder

References

www.exploit-db.com/exploits/50677 (ExploitDB-50677) exploit

lms.rocket-soft.org/ (Official Product Homepage) product

www.vulncheck.com/...ross-site-scripting-via-support-tickets (VulnCheck Advisory: Rocket LMS 1.1 Persistent Cross-Site Scripting via Support Tickets) third-party-advisory

cve.org (CVE-2021-47907)

nvd.nist.gov (CVE-2021-47907)

Download JSON