GUnet Open eClass Reflected XSS CVE-2021-44266

GUnet Open eClass version 3.12.1 is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the auth parameter in the teacher registration form.

——————————————

[Vulnerability Type]
Cross Site Scripting (XSS)

——————————————

[Vendor of Product]
GUnet (Greek Academic Network)

——————————————

[Affected Product Code Base]
https://www.openeclass.org/ – 3.12.1 an prior versions are affected – 3.12.2 (latest) fixes the issue

——————————————

[Affected Component]
/modules/auth/formuser.php?auth=

——————————————

[Attack Type]
Remote

——————————————

[CVE Impact Other]
Reflected cross-site scripting (XSS)

——————————————

[Reference]
https://hg.gunet.gr/openeclass/rev/e0ed11f5768d
https://docs.openeclass.org/el/current#%CE%AD%CE%BA%CE%B4%CE%BF%CF%83%CE%B7_3122

——————————————

[Has vendor confirmed or acknowledged the vulnerability?]
true

——————————————

[Discoverer]
Elpidoforos Maragkos

The auth parameter in the teacher registration page (modules/auth/formuser.php) is vulnerable to reflected XSS. The vulnerability affects the version 3.12.1 and probably earlier ones.