/
/
/
CVE-2019-7172: Vulnerability discovered in the package ATutor

CVE-2019-7172: Vulnerability discovered in the package ATutor

Vulnerability Reports
February 11, 2019
Profile Icon

Jason Franscisco

Vulnerability discovered in the package ATutor

Loginsoft-2019-1035

February 11, 2019

CVE Number

CVE-2019-7172

CWE

CWE - 79

Product Details

ATutor is an open source web based online learning system which is mainly used to design, develop and deliver the online courses.

URL:https://atutor.github.io/

Vulnerable Versions

v2.2.4

Vulnerability Details

Before printing the `Real Name` value on the ‘Accounts page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/atutor/ATutor/issues/164

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Data filtration techniques must be given high importance
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
Timeline
  • Vendor Disclosure: 2019-01-16
  • Public Disclosure: 2019-02-11
Credit

Discovered by ACE Team - Loginsoft

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter