Intrusion Prevention

Dokeos.add_course.XSS

Description

This indicates a possible exploit of multiple remote HTML injection vulnerabilities in Dokeos application.
Dokeos is an open source elearning and collaborative application software created in PHP and is used by mostly educational community for distant learning on the Internet. A vulnerability is reported in it that allows an attacker to embed malicious scripts on the various fields while adding new courses because of insufficient sanitization of user input by the application. An attacker requires adding course permission to be able to exploit it. When a victim browses the maliciously crafted courses, the malicious script is executed in the local browser in the security context of the target site which is hosting the web pages using Dokeos application. By exploiting this, an attacker can gain access to the victim's authentication credentials associated with the target site that is using Dokeo application, access to the information submitted to the target site by the victim and do other attacks.

Affected Products

Dokeo 1.5.5 and earlier.

Impact

Gain access to the victim's information, resulting in loss of confidentiality.

Recommended Actions

Sanitize the course database to ensure it is free of scripts. Apply appropriate patch from the vendor if available or upgrade to non-vulnerable version.