Cross-Site Scripting in Alumne LMS

Posted date 28/11/2023

Importance

3 - Medium

Affected Resources

Alumne LMS, version 4.0.0.1.08.

Description

INCIBE has coordinated the publication of a vulnerability affecting the e-learning platform Alumne LMS in its version 4.0.0.1.08, which has been discovered by Ignacio Lis Malagón.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

CVE-2023-6359: CVSS v3.1: 5.4 | CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CWE-79.

Solution

The vulnerability has been fixed in Alumne LMS version 4.0.0.1.44.

Detail

CVE-2023-6359: a Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the 'localidad' parameter to inject a custom JavaScript payload and partially take over another user's browser session, due to the lack of proper sanitisation of the 'localidad' field on the /users/editmy page.

References list

Alumne LMS

Etiquetas

0day
CNA
Education
Vulnerability