Pearson eSIS Enterprise Student Information System XSS

`Advisory ID: hag201477  
Product: Pearson eSIS Enterprise Student Information System  
Vendor: PearsonVue  
Vulnerable Version(s): Any version  
Advisory Publication: April 06, 2014  
Vendor Notification: March 05, 2014  
Public Disclosure: April 06, 2014  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference: CVE-2014-1454  
Risk Level: Medium  
CVSSv2 Base Score: 6.4 (AV:N/AC:H/Au:N/C:N/I:P/A:N)  
Solution Status: Solution not yet released  
Discovered and Provided: Tudor Enache from Help AG Middle East  
  
------------------------------------------------------------------------  
  
-----------------------  
  
about the vendor:  
Pearson VUE provides a full suite of services from test development to data management, and delivers exams through the world’s most comprehensive and secure network of test centers in 175 countries. Pearson VUE is a business of Pearson (NYSE: PSO; LSE: PSON), the world's leading learning company.  
  
Advisory Details:  
  
During a Pentest Help AG discovered the following:  
Stored cross-site scripting (XSS) vulnerability in the message board. Logged in as a Super User we managed to inject malicious cross site scripting payloads via enterprise messages. The payload would execute in the context of every user in the system. This could be used to hijack session, provide victims with phishing pages or completely compromise the computer that is executing the payload.  
  
1) Stored Cross-Site Scripting (XSS) in Pearson eSIS Enterprise Student Information System: CVE-2014-1454  
  
To reproduce the issue a Super User account is needed. After that is accomplished one needs to log in, go to the message board functionality of eSIS and create a new enterprise message using the HTML tab and add the following payload as a message:  
<img src="https://esisplatform.example.com/aal/1" onerror="alert(document.cookie)">  
  
  
Hackers could compromise a Super User account and send a malicious message to every teacher/student using the platform. This can be anything from a session hijacker script to a malicious backdoor  
  
------------------------------------------------------------------------  
  
-----------------------  
  
Solution:  
  
The vendor was notified, contact the vendor for the patch details  
  
------------------------------------------------------------------------  
  
-----------------------  
  
References:  
  
[1] help AG middle East http://www.helpag.com/.  
[2] Peason eSIS http://www.pearsonschoolsystems.com/products/esis/  
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.  
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.  
  
------------------------------------------------------------------------  
  
-----------------------  
  
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible.  
`