SureCloud identified a stored cross-site scripting vulnerability (XSS) within the Open edX platform < Lilac release-2021-08-02-19.11; a Learning Management System (LMS) used in many large organizations including Microsoft, IBM and several universities.
The following article aims to provide a technical overview of the identified vulnerability.
The following payload that would cause a popup box if executed was used to detect and validate the presence of this vulnerability:
This vulnerability was assigned a CVSSv3 score of 6.1, based on vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
To demonstrate the impact of XSS and the importance of fixing other less severe issues, SureCloud chained multiple issues together to achieve account hijack on the Open edX platform. The issues chained together were as follows:
Combining these issues, a malicious user could carry out the following attack chain:
The following video also demonstrates the described attack chain:
All system admins of Open edX platforms are advised to upgrade to the latest Lilac release.
21/07/2021: Bug identified
22/07/2021: Initial vendor communications
26/07/2021: Vulnerability notification sent to the vendor
02/08/2021: Fix released (release-2021-08-02-19.11)
14/12/2021: This blog post published