SureCloud identified a stored cross-site scripting vulnerability (XSS) within the Open edX platform < Lilac release-2021-08-02-19.11
; a Learning Management System (LMS) used in many large organizations including Microsoft, IBM and several universities.
JavaScript access to the main session token was restricted preventing trivial session hijack. However, account hijack was still possible by leveraging the XSS vulnerability to change the email address associated with an account with an attacker-controlled address and issuing a password reset request.
The following article aims to provide a technical overview of the identified vulnerability.
Open edX is an open-source project that is available on GitHub (https://github.com/edx/edx-platform). For testing purposes the docker-based Open edX distribution, Tutor (https://docs.tutor.overhang.io/) was used to deploy a local instance of the latest Lilac release.
The Open edX platform was observed to render LaTeX content within discussion posts from an authenticated perspective. Leveraging LaTeX injection, it was possible to achieve stored XSS in the form of a malicious JavaScript URL that could be embedded into a discussion post. If a user viewed and clicked on the URL, the stored JavaScript would be executed in the context of their session.
The following payload that would cause a popup box if executed was used to detect and validate the presence of this vulnerability:
This vulnerability was assigned a CVSSv3 score of 6.1, based on vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
To demonstrate the impact of XSS and the importance of fixing other less severe issues, SureCloud chained multiple issues together to achieve account hijack on the Open edX platform. The issues chained together were as follows:
‘/api/user/v1/accounts/username’
endpoint, populating the end of the URL with the obtained username and set the ‘X-Csrftoken’ header to the value that was obtained from the relevant cookie.
The following video also demonstrates the described attack chain:
As of release-2021-08-02-19.11, Open edX sanitizes untrusted user input to prevent LaTeX code containing JavaScript URLs from rendering on the frontend. This fix successfully mitigates the aforementioned XSS vulnerability (CVE-2021-39248).
All system admins of Open edX platforms are advised to upgrade to the latest Lilac release.