Cross Site Scripting Vuulnerability in core-eMLi in eMLi V1.0 allows an Attacker to send malicious code, generally in the form of a browser-side script, to a different
end user.
What is Cross Site Scripting ?
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.Impact Scenario :
1. Account Hijacking
2. Website Defacement
3. Stealing Credentials
4. Sensitive Data Leak
Affected Versions :
eMLi : School Management - 1.0
eMLi : College Campus Management - 1.0
eMLi : University Management - 1.0
eMLi : College Campus Management - 1.0
eMLi : University Management - 1.0
Vulnerability Reproduction Steps(POC):
Step 1: Visit URL of any Affected Versions
Step 2: Login to student portal.
Step 3: Replace URL with this
[host] /core-emli/code/student_
portal/home.php?page=%08x.% 08x.%08x.%08x.%08x%3Cscript% 3Ealert%28String.fromCharCode% 2888%2C%2083%2C%2083%29%29%3C% 2fscript%3E
Step 4: The final URL which we have generated will generate a dialog box with XSS label on webpage. An Attacker can get whole access to whole system with specially crafted malicious script.
Notes :
- **The Common Vulnerabilities and Exposures (CVE) project has assigned the ID CVE-2017-7621 to this issue. This is an entry on the CVE List, which standardizes names for security problems.
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7621
- CVE ID: CVE- 2017-7621
- In case of any doubts please contact me on unqdrms [at] gmail [dot] com