Vista Net, Inc. > Blog > Security > VU#780141: Cross-site scripting vulnerability in Lectora course navigation

VU#780141: Cross-site scripting vulnerability in Lectora course navigation

September 22, 2025 Security, Technology
VU#780141: Cross-site scripting vulnerability in Lectora course navigation

Overview

Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. The vulnerability was initially patched in Lectora Desktop version 21.4 (October 25, 2022), but users must republish existing courses to apply the patch. This important republishing instruction was missing from the Desktop edition release notes, but it was included in the release notes for the recently patched Lectora Online (July 20, 2025). The CERT® Coordination Center is publishing this vulnerability note to amplify awareness as the Lectora software user base includes high-profile clients such as government agencies and large enterprises.

Description

The Lectora platform is used to create and publish interactive e-learning courses by ELB Learning. Lectora Inspire and Lectora Publisher are Desktop versions of the e-learning software, and Lectora Online is a cloud-based version.

Affected Versions

  • Lectora Inspire and Lectora Publisher desktop editions versions 21.0–21.3
  • Lectora Online versions 7.1.6 and older

Impact

Content published with Seamless Play Publish (SPP) enabled and Web Accessibility settings disabled in the affected versions can allow JavaScript injection via crafted URL parameters. Exploitation under this scenario could result in client-side script execution (e.g., alert or redirect), which poses a risk of session hijacking or user redirection.

Solution

The vulnerability is patched in Lectora Desktop (Publisher and Inspire version 21.4, released October 25, 2022) and Lectora Online (version 7.1.7, deployed July 20, 2025). To fully implement the solution:

  • For Lectora Desktop customers: Please download the version 21.4 patch or a later update from portal.elblearning.com. You must then republish any courses that were created using older software versions.
  • For Lectora Online customers: The update to version 7.1.7 was automatically applied on July 20, 2025. You must republish any courses that were created using older software versions.

Acknowledgements

Thanks to the reporter Mohammad Jassim for reporting this vulnerability. This document was written by Laurie Tyzenhaus.

Follow us

Related articles