Cross-Site Scripting in Alumne LMS

Posted date
28/11/2023
Importance
3 - Media
Affected Resources

Alumne LMS, version 4.0.0.1.08.

Description

INCIBE has coordinated the publication of a vulnerability affecting the e-learning platform Alumne LMS in its version 4.0.0.1.08, which has been discovered by Ignacio Lis Malagón.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2023-6359: CVSS v3.1: 5.4 | CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CWE-79.
Solution

The vulnerability has been fixed in Alumne LMS version 4.0.0.1.44.

Detail
  • CVE-2023-6359: a Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the 'localidad' parameter to inject a custom JavaScript payload and partially take over another user's browser session, due to the lack of proper sanitisation of the 'localidad' field on the /users/editmy page.
References list

botón arriba