VYPR

Openolat

by Frentix

Source repositories

CVEs (9)

  • CVE-2026-31946CriMar 30, 2026
    risk 0.57cvss 9.8epss 0.00

    OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. From version 10.5.4 to before version 20.2.5, OpenOLAT's OpenID Connect implicit flow implementation does not verify JWT signatures. The JSONWebToken.parse() method…

  • CVE-2026-28228HigMar 30, 2026
    risk 0.50cvss 8.8epss 0.00

    OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role can inject Velocity directives into a reminder email template. When the…

  • CVE-2024-28198Mar 11, 2024
    risk 0.00cvss epss 0.00

    OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. By manually manipulating http requests when using the draw.io integration it is possible to read arbitrary files as the configured system user and SSRF. The problem is…

  • CVE-2024-25974Feb 20, 2024
    risk 0.00cvss epss 0.01

    The Frentix GmbH OpenOlat LMS is affected by stored a Cross-Site Scripting (XSS) vulnerability. It is possible to upload files within the Media Center of OpenOlat version 18.1.5 (or lower) as an authenticated user without any other rights. Although the filetypes are limited, an…

  • CVE-2024-25973Feb 20, 2024
    risk 0.00cvss epss 0.01

    The Frentix GmbH OpenOlat LMS is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities. An attacker with rights to create or edit groups can create a course with a name that contains an XSS payload. Furthermore, attackers with the permissions to create or…

  • CVE-2021-41242Dec 10, 2021
    risk 0.00cvss epss 0.01

    OpenOlat is a web-basedlearning management system. A path traversal vulnerability exists in OpenOlat prior to versions 15.5.12 and 16.0.5. By providing a filename that contains a relative path as a parameter in some REST methods, it is possible to create directory structures and…

  • CVE-2021-41152Oct 18, 2021
    risk 0.00cvss epss 0.01

    OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to…

  • CVE-2021-39181Sep 1, 2021
    risk 0.00cvss epss 0.02

    OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code…

  • CVE-2021-39180Aug 31, 2021
    risk 0.00cvss epss 0.02

    OpenOLAT is a web-based learning management system (LMS). A path traversal vulnerability exists in versions prior to 15.3.18, 15.5.3, and 16.0.0. Using a specially prepared ZIP file, it is possible to overwrite any file that is writable by the application server user (e.g. the…