Reflected Cross-site Scripting (XSS) in Sanoma's Clickedu
Clickedu
INCIBE has coordinated the publication of a medium-severity vulnerability affecting Sanoma's Clickedu, a platform for efficient educational management. The vulnerability was discovered by Guzman Fernández Ocaña.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:
CVE-2025-41070: CVSS v4.0: 4.8 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
This vulnerability was fixed in the 2 June update.
CVE-2025-41070: Reflected Cross-site Scripting (XSS) vulnerability in Sanoma's Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL in '/students/carpetes_varies.php'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
