Vulnerability Name: Multiple cross-site scripting (XSS) vulnerabilities in Tin Canny Reporting for LearnDash | |
Registered: CVE-2020-9439 | |
Discoverers: | |
Michael Ritter | |
Vendor of Product: | |
Uncanny Owl | |
Affected Product Code Base: | |
Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 | |
Attack Type: | |
Remote | |
Vulnerability Type: | |
Cross-Site Scripting (XSS) | |
Vulnerability Impact: | |
Code Execution, Information Disclosure | |
Attack Vector: | |
To exploit this vulnerability, a user must navigate to the Uncanny Owl Tin Canny LearnDash Reporting plugin. | |
Description: | |
Multiple cross-site scripting (XSS) vulnerabilities in Uncanny Owl - Tin Canny LearnDash Reporting 3.3.7 allows authenticated remote attackers to inject arbitrary web script or HTML via: | |
- search_key GET Parameter in TinCan_Content_List_Table.php | |
- message GET Parameter in licensing.php | |
- tc_filter_group in reporting-admin-menu.php | |
- tc_filter_user in reporting-admin-menu.php | |
- tc_filter_course in reporting-admin-menu.php | |
- tc_filter_lesson in reporting-admin-menu.php | |
- tc_filter_module in reporting-admin-menu.php | |
- tc_filter_action in reporting-admin-menu.php | |
- tc_filter_data_range in reporting-admin-menu.php | |
- tc_filter_data_range_last in reporting-admin-menu.php | |
Reporting Timeline: | |
28/02/2020: Vulnerability registered | |
28/02/2020: Vulnerability was reported to Uncanny Owl | |
19/08/2020: Vulnerability patched with the release of Tin Canny Reporting for LearnDash 3.4.4 | |
22/12/2020: Public disclosure | |
Remediated Product Version: | |
Uncanny Owl Tin Canny LearnDash Reporting 3.4.4 | |
Reference: | |
https://www.uncannyowl.com/knowledge-base/tin-canny-learndash-reporting-changelog/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment