Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Cross-Site Scripting in Alumne LMS

Posted date 28/11/2023
Identificador
INCIBE-2023-0525
Importance
3 - Medium
Affected Resources

Alumne LMS, version 4.0.0.1.08.

Description

INCIBE has coordinated the publication of a vulnerability affecting the e-learning platform Alumne LMS in its version 4.0.0.1.08, which has been discovered by Ignacio Lis Malagón.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

  • CVE-2023-6359: CVSS v3.1: 5.4 | CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CWE-79.
Solution

The vulnerability has been fixed in Alumne LMS version 4.0.0.1.44.

Detail
  • CVE-2023-6359: a Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the 'localidad' parameter to inject a custom JavaScript payload and partially take over another user's browser session, due to the lack of proper sanitisation of the 'localidad' field on the /users/editmy page.
References list
Alumne LMS
Etiquetas