I am submitting a news article for publishing my recent Zero day vulnerability. I have already contacted MITRE and have CVE-2025-46102 reserved now. Please find below details:

Title: Unsensitized URL Parameter Leading to XSS/Open Redirect Vulnerability in Beakon versions prior to 5.4.3

Description:

An unsanitized URL parameter vulnerability exists in the handling of the [url] parameter on the [Learning Management System (LMS)'s SCORM module]. This allows for both Cross-Site Scripting (XSS) and Phishing contents delivery attacks. By crafting a malicious URL, attackers can inject arbitrary JavaScript code that executes in the user's browser (XSS) or renders arbitrary external websites within an iframe. This issue affects Beakon application versions before 5.4.3.

Source Name/Email: Geoff Zhang, Geoff@cyber-risk.com.au (work email)
CVE: CVE-2025-46102 (Reserved for now)
Affected Software: Beakon Software
Affected Versions: versions prior to 5.4.3
Software URL: https://beakon.com.au/, https://beakon.io/

Proof of Concept/Content:

Crafting malicious URLs with JavaScript code injected into the [url] parameter to trigger XSS.  Injecting external URLs into the same to achieve phishing devliery.  A remote attacker can craft a malicious URL to execute arbitrary script code in a victim's browser or redirect victims to arbitrary external websites. A remote attacker can craft a malicious URL to execute arbitrary script code in a victim's browser or use it for phishing contents delivery as the malicous url will be rendered in an iframe which means attacker would stay within the legitimate domain.

A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to the loader.html 

https://example-base-url/loader.html?id=dummy&v=SCORM_12&preview=dummy&l=dummy&s=dummy&u=dummy&url={vulnerable}