CVE-2021-47907: Rocket LMS 1.1 Persistent Cross-Site Scripting via Support Tickets
Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers of other users viewing the message history, enabling session hijacking and phishing attacks.
Security readout for executives and security teams
Plain-English summary
Rocket LMS 1.1 has a stored cross-site scripting issue in support tickets. An authenticated user can place script-capable content in a ticket title, and that content may run when other users view ticket message history. The business risk is account misuse, phishing, and loss of trust in the LMS support workflow.
Executive priority
Treat this as a moderate-priority web application risk. It is not listed as KEV, but a public exploit reference exists and authenticated attackers could target staff or learners who review support tickets.
Technical view
CVE-2021-47907 is CWE-79 persistent XSS in Rocketsoft Rocket LMS 1.1. The reported input is the support ticket title parameter. The CVSS 3.1 score is 6.4 with network access, low complexity, low privileges, changed scope, and low confidentiality/integrity impact.
Likely exposure
Exposure appears limited to organizations running Rocket LMS version 1.1 with the support ticket module available to authenticated users.
Exploitation context
The bundle references ExploitDB and a VulnCheck advisory, indicating public technical disclosure. KEV is false, and the provided sources do not state active exploitation in the wild.
Researcher notes
Evidence identifies Rocket LMS 1.1 and the title parameter in support tickets. The bundle does not provide a confirmed patch, affected version range beyond 1.1, CPEs, or active exploitation evidence. Avoid assuming other Rocket LMS versions are affected.
Mitigation direction
Check Rocketsoft and VulnCheck guidance for any vendor-confirmed fix or upgrade path.
Restrict support ticket creation to trusted authenticated users where practical.
Review support ticket titles and history for suspicious script-like content.
Increase monitoring for unusual LMS sessions, account activity, and phishing reports.
Validation and detection
Confirm whether Rocket LMS 1.1 is deployed in any environment.
Verify whether the support ticket module is enabled and user-accessible.
Review existing support ticket titles for embedded HTML or script-like content.
Confirm whether vendor guidance, patches, or compensating controls are documented internally.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.