CVE-2020-9008
A stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/CloudPeopleTool v9.1 Q2 2017 CU5
Discovered: February 12th, 2020
Feature discontinued as of April 15th, 2020
- See Blackboard advisory here
Description:
Bad actors have the ability to inject arbitrary web script via the Tile widget (aka profile-tiles) input forms located in their People Tool profile. The input is not properly sanitized and will be stored on the their profile.
Impact:
An arbitrary script may be executed on the user's web browser (CWE-79).
Affected Versions:
Version 9.1 Q2 2017 Cumulative Update 5 (Build: 3200.0.5-rel.6+3dd6b56) and earlier versions that include the Tile widget in the profile editor. More than likely will work on later versions with this widget installed, as this issue has not been adressed prior.
| Affected URLs |
|---|
| ui.cloudbb.blackboard.com/profiles/me |
| example.blackboard.com/webapps/bb-social-learning-bb_bb60/execute/mybb?cmd=display&toolId=CloudCoreGateOnMyBb_____CloudPeopleTool |
| example.blackboard.com/webapps/discussionboard/do/message? |
Steps to Reproduce:
- To exploit the vulnerability, the attacker must enter a <script> open and </script> close tag in the "MAJOR" tile widget at their
profile customization page at
https://ui.cloudbb.blackboard.com/profiles/me. All tiles are vulnerable, however, the "MAJOR" tile is the only element to show when hovering over a profile. This makes it the most notable tile to work on. - Before hitting save, the entered text should show up in a pull-down menu, select it from this menu.
- On submission, the script is stored in the profile's public page. Thus, whenever the profile is visited, the script tags are interpreted and any Javascript code between the two script tags is executed on the visitor's browser. Also, hovering over the attacker's icon in the
My Learning Networkathttps://example.blackboard.com/webapps/bb-social-learning-bb_bb60/execute/mybb?cmd=display&toolId=CloudCoreGateOnMyBb_____CloudPeopleToolalso causes the code to be executed on the visitor's browser. In addition to these affected resources, the discussion boards athttps://example.blackboard.com/webapps/discussionboard/do/message?include a user's icon that can be hovered-over/clicked-on that can also trigger the scripts.
HTTP Request Example:
Credit:
Kyle Timmermans
https://www.linkedin.com/in/kyle-timmermans/
