PatchSiren

PatchSiren cyber security CVE debrief

CVE-2021-47907 Lms CVE debrief

CVE-2021-47907 describes a persistent cross-site scripting issue in the Rocket LMS 1.1 support ticket module. An authenticated user can inject HTML/JavaScript through the title parameter, and the payload may execute when other users view the ticket history. The supplied description ties the issue to common XSS impacts such as session hijacking and phishing, so this is primarily a user-facing data integrity and account-safety concern rather than a remote unauthenticated compromise.

Vendor
Lms
Product
Unknown
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-10
Original CVE updated
2026-05-10
Advisory published
2026-05-10
Advisory updated
2026-05-10

Who should care

Administrators and security teams running Rocket LMS, especially environments that let users create or review support tickets. Help desk staff, support agents, and any users who can view ticket histories should also be aware because stored content may render in their browsers.

Technical summary

The supplied record identifies CWE-79 (cross-site scripting) and a CVSS 4.0 vector consistent with network-reachable exploitation that requires low privileges and user interaction. The vulnerable surface is the support ticket title parameter in Rocket LMS 1.1, where input is stored and later rendered to other users. Because the payload is persistent, the risk is not limited to the original submitter's session; any viewer of the affected ticket content may be exposed.

Defensive priority

Medium. This is a stored XSS issue with authenticated access requirements, but it can still affect multiple users and enable credential theft or fraudulent actions in affected sessions.

Recommended defensive actions

  • Identify whether any Rocket LMS instances are running version 1.1 or other affected builds referenced by your vendor guidance.
  • Apply the vendor fix or upgrade path as soon as it is available; if no fix is available yet, use the strongest available server-side input validation and output encoding controls.
  • Review the support ticket module for stored XSS exposure, especially fields rendered in ticket lists, message history, and admin views.
  • Add or verify context-appropriate output encoding for ticket titles and any other user-controlled fields.
  • Restrict who can submit or view tickets where practical, and limit high-privilege account use in the ticket UI.
  • Harden session protections such as HttpOnly and SameSite cookie settings to reduce the impact of browser-side script execution.
  • Scan for similar XSS patterns across other Rocket LMS inputs and perform regression testing after remediation.

Evidence notes

This debrief is based on the supplied CVE description and the official NVD record metadata, which lists CWE-79 and references a VulnCheck advisory plus an Exploit-DB reference. The source item shows the CVE record as received on 2026-05-10. Vendor information in the supplied corpus is low confidence and needs review, so product naming should be validated against official vendor guidance before remediation planning.

Official resources

Publicly listed in the supplied official record. No KEV listing is included in the provided corpus, and the source item status is 'Received'.