Cross-site Scripting (XSS) - Reflected in gibbonedu/core
Jan 22nd 2022
There's a reflected xss in the tab parameter in both the student dashboard and the staff dashboard
Proof of Concept
This vulnerability is result to xss which then can be used to achieve more things.
Hi @admin , this seems to be fixed now, can i request for a cve for this as reserved and publish it after 3 months as the maintainer's request
@noobexploiterhuntrdev - thanks for your question.
When CVEs are not automatically assigned to reports, we require explicit consent from the maintainer to assign a CVE.
We typically also require the maintainers to confirm a fix before making the report public too, otherwise, we wait 90 days from the date of report creation to make the report public.
Hi there, we've confirmed the fix in our latest version of Gibbon and have notified our community that updating their installations should be a high priority.
As per our security policy, we ask that developers do no not immediately post security vulnerabilities in a CVE database. Many schools who use Gibbon may have limited funds or IT infrastructure and may only update once or twice a year. It's important to give our community ample time to update their systems before a vulnerability is posted on a public database. Once an issue has been patched and released to the community, we are open to posting these after a window of 3 months, to help ensure all systems are updated. We want to be sure to consider our schools and their capacity, to ensure we're putting their interests first.
@maintainer - thanks for the in-depth update here.
It is our priority to do better with you and your experience on our platform this time, so we will hold off on the CVE until you are ready for one to be published. We will wait for the 3-month window, and if you are still happy to publish a CVE, we will go ahead and do this for you.
We respect and understand the resources of the schools your service may be limited and so believe it would only be courteous and right for us to respect this too.
Have a great day! 🤝
Hello @admin , three months have now passed since i disclosed this, Perhaps we can request a cve now? Thanks
I believe that the maintainer has requested that we only publish a CVE once the
FIX has been live for three months, not since the point of disclosure.
@maintainer - can you please confirm this?
Hi @admin I kinda forgot about this report but i believe its safe to assign a cve for this bug now
We do require the go-ahead from the maintainer.