Stored XSS Vulnerability in Open edX Platform < Lilac Release-2021-08-02-19.11
SureCloud identified a stored cross-site scripting vulnerability (XSS) within the Open edX platform < Lilac release-2021-08-02-19.11; a Learning Management System (LMS) used in many large organizations including Microsoft, IBM and several universities.
The following article aims to provide a technical overview of the identified vulnerability.
CVE-2021-39248 – Authenticated Stored XSS via LaTeX Injection
The following payload that would cause a popup box if executed was used to detect and validate the presence of this vulnerability:
This vulnerability was assigned a CVSSv3 score of 6.1, based on vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Demonstrating Impact – Account Hijack
To demonstrate the impact of XSS and the importance of fixing other less severe issues, SureCloud chained multiple issues together to achieve account hijack on the Open edX platform. The issues chained together were as follows:
- XSS (CVE-2021-39248)
- Sensitive information (Username & CSRF tokens) stored in cookies without the HttpOnly cookie flag set.
- Username used in request URLs for managing profiles.
- Sign-in email address, could be changed without requiring re-authentication.
Combining these issues, a malicious user could carry out the following attack chain:
- Lure or wait for a user to visit the post and click on the malicious link.
- This request would cause the email address of the victim’s account to be amended to that of an attacker-supplied value.
- At this stage, an attacker would be able to issue a forgot password request and acquire ownership of the account.
All system admins of Open edX platforms are advised to upgrade to the latest Lilac release.
21/07/2021: Bug identified
22/07/2021: Initial vendor communications
26/07/2021: Vulnerability notification sent to the vendor
02/08/2021: Fix released (release-2021-08-02-19.11)
14/12/2021: This blog post published