Pearson eSIS Enterprise Student Information System Stored XSS

2014-05-05T00:00:00
ID SECURITYVULNS:DOC:30621
Type securityvulns
Reporter Securityvulns
Modified 2014-05-05T00:00:00

Description

Advisory ID: hag201477 Product: Pearson eSIS Enterprise Student Information System Vendor: PearsonVue Vulnerable Version(s): Any version Advisory Publication: April 06, 2014 Vendor Notification: March 05, 2014 Public Disclosure: April 06, 2014 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: CVE-2014-1454 Risk Level: Medium CVSSv2 Base Score: 6.4 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Solution not yet released Discovered and Provided: Tudor Enache from Help AG Middle East



about the vendor: Pearson VUE provides a full suite of services from test development to data management, and delivers exams through the world’s most comprehensive and secure network of test centers in 175 countries. Pearson VUE is a business of Pearson (NYSE: PSO; LSE: PSON), the world's leading learning company.

Advisory Details:

During a Pentest Help AG discovered the following: Stored cross-site scripting (XSS) vulnerability in the message board. Logged in as a Super User we managed to inject malicious cross site scripting payloads via enterprise messages. The payload would execute in the context of every user in the system. This could be used to hijack session, provide victims with phishing pages or completely compromise the computer that is executing the payload.

1) Stored Cross-Site Scripting (XSS) in Pearson eSIS Enterprise Student Information System: CVE-2014-1454

To reproduce the issue a Super User account is needed. After that is accomplished one needs to log in, go to the message board functionality of eSIS and create a new enterprise message using the HTML tab and add the following payload as a message: <img src="https://esisplatform.example.com/aal/1" onerror="alert(document.cookie)">

Hackers could compromise a Super User account and send a malicious message to every teacher/student using the platform. This can be anything from a session hijacker script to a malicious backdoor



Solution:

The vendor was notified, contact the vendor for the patch details



References:

[1] help AG middle East http://www.helpag.com/. [2] Peason eSIS http://www.pearsonschoolsystems.com/products/esis/ [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVEВ® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.



Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible.