CVE-2025-11282: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Frappe LMS versions 2.34.x through 2.35.0. The vulnerability affects the file upload functionality of the application, where malicious HTML and SVG files can be uploaded despite UI restrictions. This vulnerability is tracked as CVE-2025-11282 and has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) (NVD).

The vulnerability exists in the file upload feature where users can bypass file-type restrictions by switching from "Image Files" to "All Files" and uploading crafted payloads. While the platform presents a visual error message, the malicious files are still saved and can be accessed. When other users or administrators view the uploaded file, arbitrary JavaScript payloads execute in their browser. The vulnerability is particularly concerning as it persists even after the attempted fix for CVE-2025-55006, which only prevented visual rendering errors but did not properly enforce backend validation (GitHub Advisory, Exploit POC).

The vulnerability allows attackers to execute stored cross-site scripting attacks, potentially leading to session hijacking, data exfiltration, and privilege escalation. Sensitive information such as user email, administrator status, and full name can be stolen. Since the payloads remain stored in the application, any future viewer of the malicious content can be compromised (Exploit POC).

The affected component should be upgraded to a version newer than 2.35.0. Additionally, it is recommended to implement strict server-side validation of uploaded file types, reject non-image files at the backend, sanitize and neutralize SVG/HTML uploads, and implement Content Security Policy (CSP) headers to mitigate XSS impact (GitHub Advisory).