CVE-2025-47828

Vulnerability

Description

The Lumi H5P-Nodejs-library, a TypeScript-based toolkit for creating custom H5P servers on NodeJS, contains a cross-site scripting (XSS) vulnerability in versions prior to 9.3.3. The core issue is that the sanitizeHtml call is omitted when processing plain text strings, meaning user-supplied input that was intended to be unformatted text is not properly cleaned of potentially dangerous HTML or JavaScript content [1][2].

Exploitation

Scenario

An attacker can exploit this flaw by providing specially crafted plain text strings that contain malicious HTML or JavaScript code. Because the library fails to sanitize these plain text inputs before rendering them in the H5P player or editor, the injected code can be executed in the browser context of any user who views or interacts with the malicious H5P content [1][3]. No special authentication or elevated privileges are required beyond the ability to provide content to an affected H5P instance.

Impact

Successful exploitation leads to stored cross-site scripting (XSS), enabling the attacker to execute arbitrary scripts in the context of the victim's browser session. This can result in data theft, session hijacking, defacement of the H5P UI, or further compromise of the end user's account and sensitive information [1][3].

Mitigation

Status

The vulnerability was addressed in version 9.3.3 of the H5P-Nodejs-library, as shown in the pull request that added sanitization for text strings without formatting [1][4]. Users are strongly advised to update to version 9.3.3 or later to eliminate the XSS risk.