CVE-2022-38553: Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting...
Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.
Security readout for executives and security teams
Plain-English summary
CVE-2022-38553 is a reflected cross-site scripting issue in Academy Learning Management System before v5.9.1. A crafted search request can cause browser-side script execution if a user follows it. Business risk is mainly account misuse, session exposure, or malicious content shown in a trusted LMS context.
Executive priority
Treat as a moderate web application risk. Prioritize if the LMS is public-facing, used by employees or customers, or shares authentication with sensitive systems. It is not listed as known exploited in KEV.
Technical view
The vulnerability is CWE-79 reflected XSS through the Search parameter. CVSS 3.1 is 6.1: network reachable, low complexity, no privileges, user interaction required, changed scope, low confidentiality and integrity impact, no availability impact.
Likely exposure
Exposure is likely limited to organizations running Academy Learning Management System versions before v5.9.1, especially internet-facing LMS portals with the search feature enabled. The source bundle provides no CPEs, vendor identifier, or asset fingerprinting details.
Exploitation context
The bundle includes public references demonstrating the issue, but CISA KEV status is false and no cited source states active exploitation. Exploitation requires getting a user to interact with a crafted link or request.
Researcher notes
Evidence supports reflected XSS in the search parameter before v5.9.1. The affected metadata is incomplete: vendor, product CPEs, and official advisory details are not supplied. Avoid assuming broader Academy-branded products are affected.
Mitigation direction
Upgrade Academy Learning Management System to v5.9.1 or later where applicable.
Check vendor or marketplace guidance for the current supported fixed release.
Apply output encoding and input handling fixes around search result rendering.
Review WAF or browser security controls as compensating controls only.
Validation and detection
Inventory all Academy Learning Management System deployments and confirm exact versions.
Check whether any deployment is earlier than v5.9.1.
Review the search feature for reflected, unencoded user-controlled input.
Inspect web logs for unusual search requests and user-reported redirects or popups.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.