GUnet Open eClass version 3.12.1 is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the auth parameter in the teacher registration form.
——————————————
[Vulnerability Type]
Cross Site Scripting (XSS)
——————————————
[Vendor of Product]
GUnet (Greek Academic Network)
——————————————
[Affected Product Code Base]
https://www.openeclass.org/ – 3.12.1 an prior versions are affected – 3.12.2 (latest) fixes the issue
——————————————
[Affected Component]
/modules/auth/formuser.php?auth=
——————————————
[Attack Type]
Remote
——————————————
[CVE Impact Other]
Reflected cross-site scripting (XSS)
——————————————
[Reference]
https://hg.gunet.gr/openeclass/rev/e0ed11f5768d
https://docs.openeclass.org/el/current#%CE%AD%CE%BA%CE%B4%CE%BF%CF%83%CE%B7_3122
——————————————
[Has vendor confirmed or acknowledged the vulnerability?]
true
——————————————
[Discoverer]
Elpidoforos Maragkos
The auth parameter in the teacher registration page (modules/auth/formuser.php) is vulnerable to reflected XSS. The vulnerability affects the version 3.12.1 and probably earlier ones.