CVE-2019-15487
Description
DfE School Experience before v16333-GA is vulnerable to stored XSS via a crafted teacher training URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DfE School Experience before v16333-GA is vulnerable to stored XSS via a crafted teacher training URL.
Vulnerability
The UK Department for Education's (DfE) School Experience application, prior to version v16333-GA, contains a stored cross-site scripting (XSS) vulnerability. The flaw resides in the teacher training URL field, where user-supplied input is not properly sanitized. The application uses URI::regexp to validate URLs, but this regex matches even when there is text before the URI scheme (e.g., javascript:alert(1)). This allows an attacker to inject arbitrary JavaScript or HTML that is stored and later rendered in the browser of any user viewing the affected page. The fix was introduced in commit 06a4bf0 and PR #769 [1][2].
Exploitation
An attacker must be able to submit teacher training URLs into the on-boarding process for schools. The attack requires no elevated privileges; any user with access to the URL submission form can exploit it. The attacker crafts a URL string that begins with a valid scheme like http:// or https:// but includes malicious JavaScript after parsing. For example, a value such as http://example.com"> would be accepted by the existing URI::regexp validation and stored. When other users, including school administrators or candidates, view the submitted training URL, the malicious script executes in their browser context [2].
Impact
Successful exploitation enables an unauthenticated attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information such as authentication tokens or personal data. The scope is the entire School Experience application, affecting all users who view the malicious URL entry [1][2].
Mitigation
The vulnerability is fixed in version v16333-GA, released on or about August 5, 2019. The fix adds an additional validation requiring that the teacher training URL must start with exactly http:// or https://, preventing injection of JavaScript schemes. All users should upgrade to v16333-GA or later. No workaround is documented for unpatched deployments, and immediate upgrade is recommended [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- DfE/School Experiencedescription
- Range: <v16333-GA
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- github.com/DFE-Digital/schools-experience/pull/769mitrex_refsource_MISC
- github.com/DFE-Digital/schools-experience/releases/tag/v16333-GAmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.