yourmaileyes MOOC Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in yourmaileyes MOOC versions through 1.17. The issue resides in the comment submission function of the MainController.java file, within the Submission Handler component. The vulnerability arises because the application fails to validate incoming comments, allowing for the injection of malicious scripts. This flaw can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the application and enter any course. Locate the comment submission feature and post a comment containing an XSS payload, such as a script tag including JavaScript code, such as an alert. The absence of input validation will result in the execution of the injected script when the comment is viewed.