WeBWorK Main Forum

WeBWorK 2.18 cross-site scripting vulnerabilities

Re: WeBWorK 2.18 cross-site scripting vulnerabilities

by Glenn Rice -
Number of replies: 0
Being able to inject something like "<--! hello" into a page title by adding "%3C--!%20hello" to the url is not a cross site scripting vulnerability.  It only becomes a cross site scripting vulnerability if something injected into the url contains a script that will actually be executed because the site does not sanitize the url and literally injects the passed contents into the DOM.

So the test that your IT is using is not entirely valid.

However, webwork is vulnerable to a cross site scripting attack that we now have a mechanism to fix.  The vulnerability was reported in https://webwork.maa.org/moodle/mod/forum/discuss.php?d=4295.  This will be fixed for the next release.