-
Lectora®
- Quick Win Tutorials
- Getting Started
- Modular Development (ModDev)
- Quick Guides
- Best Practices
- Navigating the Workplace
- Building a Title
- Importing Content
- Working With Text
- Working with Images
- Working With Objects
- Actions and Variables
- Tests, Surveys, and Questions
- Working with Web Windows or HTML Extensions
- Publishing a Title
- Creating Web-based, Accessible Content (Section 508/WCAG)
- Lectora Layouts
- Managing Titles
- Managing your Assignments
- Managing Your Notifications
- Communicating
- Admin Guide
- Lectora Player Skins
- Lectora Interactions and Scenarios
- Games
- Misc.
- Programming
- General
- Using Tracking for Progress, Status, etc
- Working with BranchTrack
- Trouble Shooting
- Working with Audio and Video
-
CenarioVR®
-
The Training Arcade®
- Releases
- Subscriber Resource Page
- Getting Started
- Arcades™
- FAQ's
- Best Practices
- Game Analytics
- Customer Feedback
- Demo Information
- General Admin
- Analytics
- Compatibility and Integrations
- Data, Security, and Privacy Policy
- JEOPARDY!®
- Category Quest
- Jump
- Scenarios
- Trivia
- Trivia Virtual Instructor-Led Mode (VILT)
- Sort-It
- Scramble
- Recall
- Match
- Detective
- Translations
- New User Information
- Custom Branding Opportunities
- Registration and Leaderboard
- JEOPARDY!® Virtual Instructor-Led Mode (VILT)
-
MicroBuilder®
-
Asset Libraries
-
Rockstar Learning Platform
-
Rehearsal
-
Off-the-Shelf Training
-
ReviewLink®
-
The Learning Creation Studio
-
CourseMill®
-
Troubleshooting
-
General Topics
-
xAPI
-
Template Styles
-
Misc.
-
Articulate Storyline
-
Customizable Courseware
-
Course Starters
-
Camtasia
-
Group Administration
-
General
-
Can't find the answer? Ask our Customer Solutions team.
STATEMENT FROM ELB LEARNING REGARDING LIMITED SCOPE JAVASCRIPT INJECTION
August 18, 2025
ELB Learning remediated a vulnerability that was identified in Lectora-published courses that were:
- Created with Lectora Inspire, Publisher, and Lectora 21 through 21.3 or Lectora Online prior to July 20, 2025,
- Published with Seamless Play Publish (SPP) explicitly enabled,
- And had Web Accessibility options disabled in Project Options.
When these three conditions are met, the published content could allow JavaScript injection via crafted URL parameters. Exploitation under this scenario could result in client-side script execution (e.g., alert or redirect), which poses a limited scope risk of session hijacking or user redirection. Notably, if Web Accessibility were enabled, SPP would have been automatically disabled, therefore eliminating exploitation of the vulnerability.
Resolution
This issue was fully addressed in Lectora 21 version 21.4, released in 2022, and Lectora Online (7.1.7) on 7/20/2025. Any content republished using version 21.4 or later or Lectora Online after 7/20/25 is not susceptible.
Testing Method
As part of internal validation, you may optionally test legacy courses by appending the following to the hosted course URL:
?jmptopg=javascript:alert("Hello World!")
If no alert occurs, the content remains unaffected. If the alert appears, we recommend customers upgrade to, and republish courses with the latest versions of Lectora Desktop or Lectora Online.
Mitigation Guidance
Republish any legacy content that fits the criteria above using a current version of Lectora.
Should you have further questions, please contact support@elblearning.com.