Cross-site Scripting (XSS) - Reflected in gibbonedu/core

Valid

Reported on

Jan 22nd 2022


Description

There's a reflected xss in the tab parameter in both the student dashboard and the staff dashboard

Proof of Concept

Visit http://localhost/gibon/index.php?tab=asd%3C/script%3E%3Csvg/onload=alert(1)%3E

Impact

This vulnerability is result to xss which then can be used to achieve more things.

We are processing your report and will contact the gibbonedu/core team within 24 hours. 4 months ago
We have contacted a member of the gibbonedu/core team and are waiting to hear back 4 months ago
gibbonedu/core maintainer validated this vulnerability 4 months ago
noobexploiterhuntrdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
noobexploiterhuntrdev
4 months ago

Researcher


Hi @admin , this seems to be fixed now, can i request for a cve for this as reserved and publish it after 3 months as the maintainer's request

Jamie Slome
4 months ago

Admin


@noobexploiterhuntrdev - thanks for your question.

When CVEs are not automatically assigned to reports, we require explicit consent from the maintainer to assign a CVE.

We typically also require the maintainers to confirm a fix before making the report public too, otherwise, we wait 90 days from the date of report creation to make the report public.

gibbonedu/core maintainer confirmed that a fix has been merged on 4a735c 4 months ago
The fix bounty has been dropped
StudentDashboard.php#L310 has been validated
StaffDashboard.php#L563 has been validated
gibbonedu/core maintainer
4 months ago

Maintainer


Hi there, we've confirmed the fix in our latest version of Gibbon and have notified our community that updating their installations should be a high priority.

As per our security policy, we ask that developers do no not immediately post security vulnerabilities in a CVE database. Many schools who use Gibbon may have limited funds or IT infrastructure and may only update once or twice a year. It's important to give our community ample time to update their systems before a vulnerability is posted on a public database. Once an issue has been patched and released to the community, we are open to posting these after a window of 3 months, to help ensure all systems are updated. We want to be sure to consider our schools and their capacity, to ensure we're putting their interests first.

Jamie Slome
4 months ago

Admin


@maintainer - thanks for the in-depth update here.

It is our priority to do better with you and your experience on our platform this time, so we will hold off on the CVE until you are ready for one to be published. We will wait for the 3-month window, and if you are still happy to publish a CVE, we will go ahead and do this for you.

We respect and understand the resources of the schools your service may be limited and so believe it would only be courteous and right for us to respect this too.

Have a great day! 🤝

noobexploiterhuntrdev
2 months ago

Researcher


Hello @admin , three months have now passed since i disclosed this, Perhaps we can request a cve now? Thanks

Jamie Slome
2 months ago

Admin


I believe that the maintainer has requested that we only publish a CVE once the FIX has been live for three months, not since the point of disclosure.

@maintainer - can you please confirm this?

to join this conversation