VU#780141: Cross-site scripting vulnerability in Lectora course navigation
A cross-site scripting vulnerability exists in older versions of Lectora Desktop and Lectora Online. Specifically, Lectora Desktop versions 21.0 to 21.3 and Lectora Online versions 7.1.6 and older are affected. This vulnerability occurs in courses published with Seamless Play Publish enabled and Web Accessibility disabled. Exploiting this flaw allows for JavaScript injection through crafted URL parameters. Such an attack could lead to session hijacking or user redirection. The vulnerability was patched in Lectora Desktop version 21.4, released on October 25, 2022. Lectora Online also received a patch, version 7.1.7, deployed on July 20, 2025. Crucially, users must republish their existing courses to apply these patches. This instruction was mistakenly omitted from the Desktop release notes. The CERT Coordination Center is raising awareness due to high-profile users of Lectora software.