Open eClass Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Open eClass platform, prior to version 4.2. This vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files. The injected script is executed when instructors view the submission. The issue arises because the application permits students to upload assignment files in HTML format without adequately sanitizing or restricting active content.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user viewing the assignment, potentially leading to session cookie theft or unauthorized actions on behalf of the instructor.

Reproduction

To reproduce this vulnerability, authenticate as a student and upload an HTML file containing JavaScript, such as a script tag with JavaScript code, as an assignment submission. Then, log in as an instructor, navigate to the submitted assignment file, and open the uploaded file to observe the execution of the JavaScript in the instructor's browser.

Remediation

Users are advised to update to Open eClass version 4.2 or later, where this vulnerability has been patched.