Vector
Vector

Choose your topics

Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Blogs
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Vector-1
Vulnerability Management

Stored XSS Vulnerability in Open edX Platform < Lilac Release-2021-08-02-19.11

Stored XSS Vulnerability in Open edX Platform < Lilac Release-2021-08-02-19.11
Written by

Isadora Gregori

Published on

30 Oct 2021

Stored XSS Vulnerability in Open edX Platform < Lilac Release-2021-08-02-19.11

 

TL;DR

SureCloud identified a stored cross-site scripting vulnerability (XSS) within the Open edX platform < Lilac release-2021-08-02-19.11;  a Learning Management System (LMS) used in many large organizations including Microsoft, IBM and several universities.

JavaScript access to the main session token was restricted preventing trivial session hijack. However, account hijack was still possible by leveraging the XSS vulnerability to change the email address associated with an account with an attacker-controlled address and issuing a password reset request.

The following article aims to provide a technical overview of the identified vulnerability.

Test Environment

Open edX is an open-source project that is available on GitHub (https://github.com/edx/edx-platform). For testing purposes the docker-based Open edX distribution, Tutor (https://docs.tutor.overhang.io/) was used to deploy a local instance of the latest Lilac release.

CVE-2021-39248 – Authenticated Stored XSS via LaTeX Injection

The Open edX platform was observed to render LaTeX content within discussion posts from an authenticated perspective. Leveraging LaTeX injection, it was possible to achieve stored XSS in the form of a malicious JavaScript URL that could be embedded into a discussion post. If a user viewed and clicked on the URL, the stored JavaScript would be executed in the context of their session.

The following payload that would cause a popup box if executed was used to detect and validate the presence of this vulnerability:

 $\href{javascript:alert(2)}{XSS}$

This vulnerability was assigned a CVSSv3 score of 6.1, based on vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Demonstrating Impact – Account Hijack

To demonstrate the impact of XSS and the importance of fixing other less severe issues, SureCloud chained multiple issues together to achieve account hijack on the Open edX platform. The issues chained together were as follows:

  • XSS (CVE-2021-39248)
  • Sensitive information (Username & CSRF tokens) stored in cookies without the HttpOnly cookie flag set.
  • Username used in request URLs for managing profiles.
  • Sign-in email address, could be changed without requiring re-authentication.

Combining these issues, a malicious user could carry out the following attack chain:

  • Embed a malicious JavaScript URL into a discussion post.
  • Lure or wait for a user to visit the post and click on the malicious link.
  • Upon being clicked, the JavaScript would execute and parse the ‘csrftoken’ and ‘edx-user-info’ cookie values, resulting in the compromise of a usable CSRF token and the username of the victim.
  • Using these values, the JavaScript could then make a ‘PATCH’ XMLHttpRequest to the ‘/api/user/v1/accounts/<username>’ endpoint, populating the end of the URL with the obtained username and set the ‘X-Csrftoken’ header to the value that was obtained from the relevant cookie.
  • This request would cause the email address of the victim’s account to be amended to that of an attacker-supplied value.
  • At this stage, an attacker would be able to issue a forgot password request and acquire ownership of the account.
 

Remediation

As of release-2021-08-02-19.11, Open edX sanitizes untrusted user input to prevent LaTeX code containing JavaScript URLs from rendering on the frontend. This fix successfully mitigates the aforementioned XSS vulnerability (CVE-2021-39248).

All system admins of Open edX platforms are advised to upgrade to the latest Lilac release.

Disclosure Timeline:

21/07/2021: Bug identified

22/07/2021: Initial vendor communications

26/07/2021: Vulnerability notification sent to the vendor

02/08/2021: Fix released (release-2021-08-02-19.11)

14/12/2021: This blog post published