Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2020-9008

A stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/CloudPeopleTool v9.1 Q2 2017 CU5


Discovered: February 12th, 2020

Feature discontinued as of April 15th, 2020

  • See Blackboard advisory here

Description:

Bad actors have the ability to inject arbitrary web script via the Tile widget (aka profile-tiles) input forms located in their People Tool profile. The input is not properly sanitized and will be stored on the their profile.


Impact:

An arbitrary script may be executed on the user's web browser (CWE-79).


Affected Versions:

Version 9.1 Q2 2017 Cumulative Update 5 (Build: 3200.0.5-rel.6+3dd6b56) and earlier versions that include the Tile widget in the profile editor. More than likely will work on later versions with this widget installed, as this issue has not been adressed prior.


Affected URLs
ui.cloudbb.blackboard.com/profiles/me
example.blackboard.com/webapps/bb-social-learning-bb_bb60/execute/mybb?cmd=display&toolId=CloudCoreGateOnMyBb_____CloudPeopleTool
example.blackboard.com/webapps/discussionboard/do/message?

Steps to Reproduce:

  1. To exploit the vulnerability, the attacker must enter a <script> open and </script> close tag in the "MAJOR" tile widget at their profile customization page at https://ui.cloudbb.blackboard.com/profiles/me. All tiles are vulnerable, however, the "MAJOR" tile is the only element to show when hovering over a profile. This makes it the most notable tile to work on.
  2. Before hitting save, the entered text should show up in a pull-down menu, select it from this menu.
  3. On submission, the script is stored in the profile's public page. Thus, whenever the profile is visited, the script tags are interpreted and any Javascript code between the two script tags is executed on the visitor's browser. Also, hovering over the attacker's icon in the My Learning Network at https://example.blackboard.com/webapps/bb-social-learning-bb_bb60/execute/mybb?cmd=display&toolId=CloudCoreGateOnMyBb_____CloudPeopleTool also causes the code to be executed on the visitor's browser. In addition to these affected resources, the discussion boards at https://example.blackboard.com/webapps/discussionboard/do/message? include a user's icon that can be hovered-over/clicked-on that can also trigger the scripts.

HTTP Request Example:

alt text


Credit:

Kyle Timmermans

https://www.linkedin.com/in/kyle-timmermans/

https://twitter.com/KyleTimmermans

https://github.com/kyletimmermans/