Cross-Site Scripting in Alumne LMS

Posted date
3 - Media
Affected Resources

Alumne LMS, version


INCIBE has coordinated the publication of a vulnerability affecting the e-learning platform Alumne LMS in its version, which has been discovered by Ignacio Lis Malagón.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2023-6359: CVSS v3.1: 5.4 | CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CWE-79.

The vulnerability has been fixed in Alumne LMS version

  • CVE-2023-6359: a Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version An attacker could exploit the 'localidad' parameter to inject a custom JavaScript payload and partially take over another user's browser session, due to the lack of proper sanitisation of the 'localidad' field on the /users/editmy page.
References list

botón arriba