Headline

CVE-2023-6359: Cross-Site Scripting in Alumne LMS

A Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the ‘localidad’ parameter to inject a custom JavaScript payload and partially take over another user’s browser session, due to the lack of proper sanitisation of the ‘localidad’ field on the /users/editmy page.

10 months ago

CVE

Open in Source

#xss #vulnerability #java

Affected Resources

Alumne LMS, version 4.0.0.1.08.

Description

INCIBE has coordinated the publication of a vulnerability affecting the e-learning platform Alumne LMS in its version 4.0.0.1.08, which has been discovered by Ignacio Lis Malagón.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE:

CVE-2023-6359: CVSS v3.1: 5.4 | CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | CWE-79.

Solution

The vulnerability has been fixed in Alumne LMS version 4.0.0.1.44.

Detail

CVE-2023-6359: a Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the ‘localidad’ parameter to inject a custom JavaScript payload and partially take over another user’s browser session, due to the lack of proper sanitisation of the ‘localidad’ field on the /users/editmy page.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

9 months ago

9 months ago

9 months ago

9 months ago

9 months ago