Stored XSS in "Real Name" field - My Account

Question

Stored XSS in "Real Name" field - My Account

SegfaultMasters opened this issue 6 years ago · 4 comments

SegfaultMasters commented 6 years ago

Description -
There's no escape being done before printing out the value of Real Name in the My Account page.

ATutor version - v2.2.4

Steps to reproduce -

Navigate to http://localhost/atutor/mods/_core/users/admins/my_edit.php & add the below-shared payload as the value to the Real Name field.
Payload -admin<img src=xss onerror=alert(1)>
Visit page http://localhost/atutor/mods/_core/users/admins/index.php, the payload will be triggered.

Answer 1 · 2019-01-16T17:57:55.000Z

Please submit a pull request to fix this.

Answer 2 · 2019-01-30T08:38:56.000Z

Someone requested CVE identifier for this vulnerability and it got assigned CVE-2019-7172.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7172
https://nvd.nist.gov/vuln/detail/CVE-2019-7172

Answer 3 · 2019-01-31T08:48:04.000Z

Please submit a pull request to fix this.

As a maintainer of this project are you planning to fix this and release new version? I don't think waiting for PRs is correct way to handle security issues (maybe only if this is mentioned clearly in some documentation). Of course that is only my personal opinion, but I can't recommend people to use ATutor if this is the case.

Answer 4 · 2019-01-31T11:52:32.000Z

ATutor is no longer maintained.