QSearchQSearch

CVE-2021-39181

8.8 HIGH

OpenOlat is a web-based learning management system (LMS)

Published: 2021-09-01 · Last updated: 2026-06-17

Severity and scoring

CVSS
8.8 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-91

Affected products

VendorProduct
frentixopenolat

Description

OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2021-41152 OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system (7.7 HIGH)
  • CVE-2021-39180 OpenOLAT is a web-based learning management system (LMS) (8.1 HIGH)

Same CWE

  • CVE-2026-53723 Guzzle Services provides an implementation of the Guzzle Command library that uses Guzzle service descriptions to describe web services, ... (5.8 MEDIUM)
  • CVE-2026-46490 samlify is a Node.js library for SAML single sign-on (8.8 HIGH)
  • CVE-2026-11169 Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML... (8.1 HIGH)
  • CVE-2026-47273 pam_usb provides hardware authentication for Linux using ordinary removable media (6.5 MEDIUM)
  • CVE-2026-40165 authentik is an open-source identity provider (8.7 HIGH)