CVE-2026-24672 - Vulnerability Details - OpenCVE

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openeclass	Openeclass

No data.

No data.

References

Link	Providers
https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh

History

Wed, 04 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 04 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openeclass Openeclass openeclass
Vendors & Products		Openeclass Openeclass openeclass

Tue, 03 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2.
Title		Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) in User Profile Fields
Weaknesses		CWE-79
References		https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-03T16:56:36.889Z

Updated: 2026-02-04T16:52:30.735Z

Reserved: 2026-01-23T20:40:23.388Z

Link: CVE-2026-24672

Vulnrichment

Updated: 2026-02-04T15:54:24.311Z

NVD

Status : Awaiting Analysis

Published: 2026-02-03T18:16:23.870

Modified: 2026-02-04T16:33:44.537

Link: CVE-2026-24672

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24672", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-23T20:40:23.388Z", "datePublished": "2026-02-03T16:56:36.889Z", "dateUpdated": "2026-02-04T16:52:30.735Z"}, "containers": {"cna": {"title": "Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) in User Profile Fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh"}], "affected": [{"vendor": "gunet", "product": "openeclass", "versions": [{"version": "< 4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T16:56:36.889Z"}, "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2."}], "source": {"advisory": "GHSA-3p2x-qgxw-qvxh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T15:54:23.626017Z", "id": "CVE-2026-24672", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:52:30.735Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24672", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T15:54:23.626017Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T15:54:24.311Z"}}], "cna": {"title": "Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) in User Profile Fields", "source": {"advisory": "GHSA-3p2x-qgxw-qvxh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gunet", "product": "openeclass", "versions": [{"status": "affected", "version": "< 4.2"}]}], "references": [{"url": "https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh", "name": "https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T16:56:36.889Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24672", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:52:30.735Z", "dateReserved": "2026-01-23T20:40:23.388Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T16:56:36.889Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}