Skip to content

Instantly share code, notes, and snippets.

@kyletimmermans

kyletimmermans/CVE-2020-9008.md

Last active August 28, 2024 20:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kyletimmermans/bd4cbd3cc2792dafb940d3f72676fc6f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kyletimmermans/bd4cbd3cc2792dafb940d3f72676fc6f to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2020-9008
Raw
CVE-2020-9008.md

CVE-2020-9008

A stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/CloudPeopleTool v9.1 Q2 2017 CU5


Discovered: February 12th, 2020

Feature discontinued as of April 15th, 2020

  • See Blackboard advisory here

Description:

Bad actors have the ability to inject arbitrary web script via the Tile widget (aka profile-tiles) input forms located in their People Tool profile. The input is not properly sanitized and will be stored on the their profile.


Impact:

An arbitrary script may be executed on the user's web browser (CWE-79).


Affected Versions:

Version 9.1 Q2 2017 Cumulative Update 5 (Build: 3200.0.5-rel.6+3dd6b56) and earlier versions that include the Tile widget in the profile editor. More than likely will work on later versions with this widget installed, as this issue has not been adressed prior.


Affected URLs
ui.cloudbb.blackboard.com/profiles/me
example.blackboard.com/webapps/bb-social-learning-bb_bb60/execute/mybb?cmd=display&toolId=CloudCoreGateOnMyBb_____CloudPeopleTool
example.blackboard.com/webapps/discussionboard/do/message?

Steps to Reproduce:

  1. To exploit the vulnerability, the attacker must enter a <script> open and </script> close tag in the "MAJOR" tile widget at their profile customization page at https://ui.cloudbb.blackboard.com/profiles/me. All tiles are vulnerable, however, the "MAJOR" tile is the only element to show when hovering over a profile. This makes it the most notable tile to work on.
  2. Before hitting save, the entered text should show up in a pull-down menu, select it from this menu.
  3. On submission, the script is stored in the profile's public page. Thus, whenever the profile is visited, the script tags are interpreted and any Javascript code between the two script tags is executed on the visitor's browser. Also, hovering over the attacker's icon in the My Learning Network at https://example.blackboard.com/webapps/bb-social-learning-bb_bb60/execute/mybb?cmd=display&toolId=CloudCoreGateOnMyBb_____CloudPeopleTool also causes the code to be executed on the visitor's browser. In addition to these affected resources, the discussion boards at https://example.blackboard.com/webapps/discussionboard/do/message? include a user's icon that can be hovered-over/clicked-on that can also trigger the scripts.

HTTP Request Example:

alt text


Credit:

Kyle Timmermans

https://www.linkedin.com/in/kyle-timmermans/

https://twitter.com/KyleTimmermans

https://github.com/kyletimmermans/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment