This article highlights a cross-site scripting (XSS) vulnerability in certain versions of Lectora e-learning software, affecting both desktop and online platforms. Users are advised to update and republish courses to mitigate security risks. #LectoraDesktop #LectoraOnline #CrossSiteScripting
Keypoints
- The vulnerability affects Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older.
- The XSS flaw occurs when courses are published with Seamless Play Publish enabled and Web Accessibility disabled.
- The issue allows JavaScript injection via crafted URL parameters, risking session hijacking or user redirection.
- The vulnerability was patched in Desktop version 21.4 released on October 25, 2022, and in Online version 7.1.7 on July 20, 2025.
- Users must republish their courses after updating to ensure the security patch is applied.
Read More: https://kb.cert.org/vuls/id/780141