Open eClass Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Open eClass platform, affecting versions prior to 4.2. This vulnerability allows authenticated high-privileged users, such as teachers or administrators, to inject malicious JavaScript into various user-controllable input fields across the application. The injected scripts are executed when other users access the affected pages. The vulnerability arises because the application fails to properly sanitize or encode user input before rendering it in HTML contexts. Exploitation could lead to the execution of arbitrary JavaScript in the context of other users' sessions, potentially allowing for session hijacking, unauthorized actions, or broader account compromise.

Impact

Successful exploitation allows for the execution of injected JavaScript in the context of other users' sessions, which could be used for session hijacking, performing unauthorized actions, or compromising user accounts.

Reproduction

To reproduce this vulnerability, log in as a teacher or course administrator and navigate to a course's Documents section. Upload or create a new document and insert a JavaScript payload into the document title field. After saving the document, log in as a student or another user and access the course's Documents page to observe the execution of the injected script.

Remediation

Users can update to Open eClass version 4.2 or later to address this vulnerability.