Vulnerability discovered in the package ATutor
February 11, 2019
CWE – 79
ATutor is an open source web based online learning system which is mainly used to design, develop and deliver the online courses.
Before printing the `Real Name` value on the ‘Accounts page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/atutor/ATutor/issues/164
- Avoid inserting or adding the untrusted input data
- Data filtration techniques must be given high importance
- It is advisable to practice content security policy and adopt the auto escaping template system
- Implement the X-XSS-Protection response header
- Vendor Disclosure: 2019-01-16
- Public Disclosure: 2019-02-11
Discovered by ACE Team – Loginsoft