Skip to content

cseasholtz/CVE-2021-36747

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2021-36747

Blackboard Learn through 9.1 allows XSS by an authenticated user via the Feedback to Learner form.


Discovered: May 11th, 2018

The Blackboard Security Team has been notified of this issue. They acknowledged the vulnerability on May 14, 2018.

Description:

The Blackboard tool commonly used in K-12 and Higher Education allows Instructors and Graders to provide feedback on assignments submitted. This feedback is plaintext that is converted to HTML. This could allow malicious actors to insert Javascript, which would be executed in the Learner's web browser when viewing the feedback.

Impact:

An arbitrary script may be executed on the user's web browser (CWE-79).

Affected Versions:

Version 9.1 and earlier versions that include the ability to edit HTML when providing Feedback to Learner in the grading process.

Steps to Reproduce:

  1. To exploit the vulnerability, the attacker must enter a <script> open and </script> close tag in the Feedback to Learner area of the assignment grading tool
  2. On submission, the script is stored in the comment section of the assignment. When the student user views the comment on their Grades page, the script is executed

Screenshots

alt text alt text

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published