ATutor-Cross-Site Scripting (XSS)

[ddddyyy]

Product: ATutor
Download: https://github.com/atutor/ATutor
Vunlerable Version: 2.2.2 and probably prior
Tested Version: 2.2.2
Author: ADLab of Venustech

Advisory Details:
Cross-Site Scripting (XSS) were discovered in“ATutor 2.2.2”, which can be exploited to execute arbitrary JS code.

The parameter "url" in the file /ATutor/mods/_standard/rss_feeds/edit_feed.php is unsafe, we can bypass the XSS filter.An attacker could execute arbitrary JS code in a browser in the context of the vulnerable website.
The exploitation examples below use the "alert()" JavaScript function to see a pop-up messagebox:
the poc is : =file%3A%2F%2F%2Fetc%2Fpasswd+%3C%3E%3Cimg+src%3Dxx+onerror%3Dalert%281%29%3E

[atutor]

Not able to make your poc work. Can provide a little more details how you used it?

[ddddyyy]

@atutor
I am providing more details about this vulnerability.
setp1: In the file /ATutor/mods/_standard/rss_feeds/edit_feed.php, while adding a news feed, and the parameter "url" is "file%3A%2F%2F%2Fetc%2Fpasswd+%3C%3E%3Cimg+src%3Dxx+onerror%3Dalert%281%29%3E"

setp2: Visiting the url "http://site/ATutor/mods/_standard/rss_feeds/index.php", we will see a pop-up messagebox.

[atutor]

Issue has now been resolved at:
9292360
Given it is a relatively minor issue, we will release this fix in the next release (2.2.3) rather than posting a patch. Mention its fixed in 2.2.3, or point to the git commit for the fix for earlier versions, in your report.