CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
73.0%
Coursemill Learning Management System version 6.6 and 6.8 contains multiple vulnerabilities.
CWE-472: External Control of Assumed-Immutable Web Parameter - CVE-2013-3599
In Coursemill 6.6, when loading the home page (/coursemill/cm0660/home.html
) the response to the userlogin.jsp
request returns the user role as a parameter (passed to the client for processing). In Coursemill 6.8, this has been partially remediated. Privilege escalation is still possible without authentication.
CWE-472: External Control of Assumed-Immutable Web Parameter - CVE-2013-3600
In Coursemill 6.6, the userid
parameter is exploitable in certain functions. Using the βEdit Profileβ function and replaying the request can result in access to another user (or privileged userβs) information. It is unknown if this is remediated in version 6.8.
CWE-250: Execution with Unnecessary Privileges - CVE-2013-3601
In Coursemill 6.6, the application relies on JavaServer Pages (JSP) for user-executed functions. These function calls take an βop
β parameter that tells the JSP which operation to run. Operations that should be restricted to administrators were found to be executable by users in a non-administrative Student role. This has been remediated in Coursemill 6.8
CWE-89: Improper Neutralization of Special Elements used in a SQL Command (βSQL Injectionβ) - CVE-2013-3602
In Coursemill 6.6, the following JSP call is intended to retrieve information about uploaded documents:
/coursemill/cm0660/admindocumentworker.jsp?op=info&docID=1&rndval=1348848360092&getAttrs=undefined
The docID
parameter passes the numeric value of the document to the server which then retrieves the document data from the database. The application passes SQL statements directly from the user to the SQL server for processing. This has been remediated in Coursemill 6.8
CWE-79: Improper Neutralization of Input During Web Page Generation (βCross-site Scriptingβ) - CVE-2013-3603
In Coursemill 6.6, the application was observed to reflect error messages containing user-provided URL input directly to the browser without proper input validation and output encoding. This allows for a reflected XSS attack, whereby an attacker can pass a crafted link to a user which when clicked, executes malicious JavaScript to attack the user.
This is partially remediated in Coursemill 6.8. The application is still vulnerable to reflected XSS due to insufficient input validation and output encoding. The application attempts to remove event attributes by keyword - anything with the letters βonβ (such as βonmouseover
β) are removed. This can be defeated by inserting null bytes (%00) in between the βoβ and the βnβ which will evade the filter and allow the browser to execute the script. The additional validation step of removing closing brackets (β>β ) is also insufficient because some browsers, such as Internet Explorer, will tolerate lack of closing brackets and execute the HTML regardless.
CWE-79: Improper Neutralization of Input During Web Page Generation (βCross-site Scriptingβ) - CVE-2013-3604
In Coursemill 6.6 and 6.8, a stored XSS attack is possible in several application inputs.
Coursemill 6.8 adds a filter for closing quotes, but does not filter other input (such as %22)
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2013-3605
Coursemill 6.6 relies on cookie values to authenticate a request from a user, rendering it vulnerable to CSRF attacks. Coursemill 6.8 adds CSRF tokens but they are constructed using predictable values (timestamps of the user).
An attacker can conduct a cross-site scripting, cross-site request forgery, or privilege escalation attack, which may result in information leakage or privilege escalation.
Apply an Update
Coursemill version 6.8 provides some remediation to these issues.
960908
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 12, 2013 Updated: August 30, 2013
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:N |
Temporal | 5.8 | E:POC/RL:U/RC:C |
Environmental | 1.4 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND |
<http://lectora.com/e-learning-software-downloads/>
Thanks to Mike Czumak for reporting this vulnerability.
This document was written by Chris King.
CVE IDs: | CVE-2013-3599, CVE-2013-3600, CVE-2013-3601, CVE-2013-3602, CVE-2013-3603, CVE-2013-3604, CVE-2013-3605 |
---|---|
Date Public: | 2013-08-30 Date First Published: |