CVE-2025-41070

Vulnerability

Overview

CVE-2025-41070 is a reflected cross-site scripting (XSS) vulnerability found in Sanoma's Clickedu, an educational management platform. The vulnerability resides in the /students/carpetes_varies.php script, which fails to properly sanitize user-controlled input reflected in the page response. This allows an attacker to craft a URL containing malicious JavaScript that, when visited by an authenticated Clickedu user, executes in the context of the victim's browser session [1].

Attack

Vector

The attack requires the victim to click on a specially crafted URL, but the attacker does not need any special privileges beyond a valid account in the Clickedu platform (the CVSS v4.0 vector includes PR:L for low privileges and UI:A for user interaction) [1]. The malicious URL is sent to the target user, and upon loading the page, the injected script runs with the same origin as the vulnerable application.

Potential

Impact

Successful exploitation can lead to theft of sensitive user data, such as session cookies, allowing the attacker to impersonate the victim. The attacker could also perform actions on behalf of the victim within the Clickedu environment, potentially leading to further compromise of user accounts or data [1]. The CVSS v4.0 base score is 4.8 (Medium), with the vector indicating low impacts to confidentiality and integrity in the scope of the vulnerable component [1].

Mitigation

Sanoma released a fix for this vulnerability in the June 2 update. Users of Clickedu are strongly advised to ensure that this update has been applied to their instance [1].