CVE-2024-25973: Multiple Stored XSS Vulnerabilities Discovered in Frentix GmbH OpenOlat LMS

A recent security issue has been discovered in the Frentix GmbH OpenOlat Learning Management System (LMS), and it has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-25973. The issue is related to multiple stored Cross-Site Scripting (XSS) vulnerabilities, which can allow an attacker to execute stored JavaScript code in the context of the victim's browser with the permissions of the victim. This long read post will provide details about the vulnerabilities, including code snippets and links to original references.

The following vulnerabilities have been identified in OpenOlat LMS

1. An attacker with rights to create or edit groups can create a course with a name that contains an XSS payload.
2. Attackers with the permissions to create or rename a catalog (sub-category) can enter unfiltered input in the name field.

Attackers who are allowed to create curriculums can also enter unfiltered input in the name field.

These vulnerabilities are particularly dangerous because they allow an attacker to gain access to sensitive information and potentially manipulate data with the permissions of the victim.

Code Snippets

To demonstrate the vulnerabilities, let's consider a few code snippets that highlight the issue. The following code snippet is an example of an XSS payload that an attacker could inject into the course name:

<script>alert('XSS Payload');</script>

Similarly, the attacker could inject the XSS payload in the catalog (sub-category) name and curriculum name fields:

<script>alert('XSS Payload');</script>

Here are the steps an attacker could take to exploit these vulnerabilities

1. Gain access to an OpenOlat LMS instance with permissions to create or edit groups, catalogs, or curriculums.

Inject an XSS payload in the course name, catalog name, or curriculum name fields.

3. The attacker then waits for another user with elevated permissions to interact with the injected course, catalog, or curriculum.
4. Upon interaction, the stored JavaScript code is executed in the context of the victim's browser with the victim's permissions.

Original References

Details about CVE-2024-25973 can be found in the National Vulnerability Database (NVD) at the following link:
- CVE-2024-25973 - NVD

Further information about the Frentix GmbH OpenOlat LMS, including its features and other security issues, can be found on the official OpenOlat website:
- OpenOlat LMS Official Site

In Conclusion

CVE-2024-25973 highlights the importance of input validation and output sanitization in web applications, particularly in Learning Management Systems like OpenOlat LMS. Mitigating these vulnerabilities requires the implementation of proper input filtering and output escaping mechanisms in the affected fields. If you are a developer, administrator, or user of OpenOlat LMS, please ensure that you update the software to the latest version available and follow the best security practices to safeguard your valuable data and user accounts.

Timeline

Published on: 02/20/2024 08:15:07 UTC
Last modified on: 02/21/2024 07:15:58 UTC