Open eClass Stored Cross-Site Scripting Vulnerability in User Profile Fields

A stored cross-site scripting vulnerability has been identified in the Open eClass platform, prior to version 4.2. This vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, specifically the first and last name attributes. The injected script is executed when users with viewing privileges, such as teachers or administrators, access pages displaying the affected profile information. This issue arises because the application fails to properly sanitize user input in profile fields, enabling the execution of malicious scripts in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the browser of users with viewing privileges, potentially leading to session cookie theft, unauthorized actions on behalf of the victim, or compromise of user accounts.

Reproduction

To reproduce this vulnerability, log in as a student and navigate to the user profile edit page. Inject a JavaScript payload into the first name or last name field and save the changes. Then, log in as another user with permission to view the affected profile and access a page where the user's profile information is displayed. The injected JavaScript will execute in the browser.

Remediation

Users are advised to update to Open eClass version 4.2 or later.