Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WebUntis 2020.12.1 Cross Site Scripting

🗓️ 09 Jun 2020 00:00:00Reported by Robin MeisType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 390 Views

WebUntis 2020.12.1 Cross Site Scripting vulnerability in private messagin

Code
`I. VULNERABILITY  
-------------------------  
WebUntis 2020.12.1 - (Authenticated) Cross Site Scripting  
  
II. BACKGROUND  
-------------------------  
WebUntis is a tool for schools and universities to deliver electronic timetables to their students. Depending from the activated modules it does also contain sensitive information within the integrated class-register and grade-book. Furthermore it supports private messaging.   
  
III. DESCRIPTION  
-------------------------  
The private messaging component contains a persistent XSS vulnerability within the message body which allows the execution of arbitrary JavaScript in the context of the victim user's browser.  
  
IV. History  
-------------------------  
The issue has been reported back in December 2019 to Untis GmbH. Against my advisories the vendor tried to fix the issue by implementing a Cross-Site-Scripting filter. Public (full) disclosure was on 22.03.2020. It turned out that the filter is not sufficient and can be easily bypassed.  
  
V. PROOF OF CONCEPT  
-------------------------  
Send a new private message to any user within WebUntis containing the following message body:  
  
<img src="test.jpg" / onerror="alert('XSS')">  
  
Reading the message either on senders or on recipients account will cause the script to execute.  
  
VI. BUSINESS IMPACT  
-------------------------  
The attacker is able to execute any JavaScript in the logged in users context. PoCs to manipulate grades and to steal API/OTP Tokens for full access using the mobile app exist.  
  
VII. SYSTEMS AFFECTED  
-------------------------  
WebUntis <= 2020.12.1 (currently unfixed)  
  
VIII. SOLUTION  
-------------------------  
Avoid using private messages.  
  
IX. REFERENCES  
-------------------------  
https://robin.meis.space/ (German articles)  
  
X. CREDITS  
-------------------------  
This vulnerability has been discovered and reported by Robin Meis ([email protected])  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
11.12.2019 - Report of CSRF and XSS vulnerabilities to Untis GmbH  
02.01.2020 - First Response (restored Mail from spam folder)  
27.01.2020 - Offer of Bug-Bounty against NDA  
meanwhile - Implementation and tests of a XSS filter by vendor  
- Advised vendor to do proper HTML encoding  
- Report of further XSS vulnerabilities  
11.03.2020 - Limited Disclosure, one XSS vulnerability remains unfixed  
12.03.2020 - Remaining issue fixed  
22.03.2020 - Full Disclosure  
07.06.2020 - PoC for filter bypass, Full Disclosure  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Jun 2020 00:00Current
0.2Low risk
Vulners AI Score0.2
webuntiscross site scriptingprivate messagingxss filtervulnerabilitydisclosurejavascriptgrades manipulationapi/otp tokens
390