Document Title: =============== Docebo LMS v6.9 - (Clone Links) Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1878 Release Date: ============= 2016-12-19 Vulnerability Laboratory ID (VL-ID): ==================================== 1878 Common Vulnerability Scoring System: ==================================== 3.5 Product & Service Introduction: =============================== Docebo is a SAAS/Cloud platform for e-learning, also known as a learning management system.From the Latin word, docere. Docebo is used for corporate learning and has interfaces for videoconferencing and HR systems. Using an online system for learning and training cuts down time needed and costs that would be used on such things as printing and distributing materials. (Copy of the Vendor Homepage: https://www.docebo.com/learning-management-system-lms/ & https://en.wikipedia.org/wiki/DoceboLMS ) Abstract Advisory Information: ============================== A vulnerability laboratory core team researcher discovered an application-side cross site scripting vulnerability in the DoceboLMS content management system. Vulnerability Disclosure Timeline: ================================== 2016-12-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Docebo Product: Docebo LMS - Content Management System (Web-Application) 6.9 Exploitation Technique: ======================= Remote Severity Level: =============== Low Technical Details & Description: ================================ A persistent cross site scripting web vulnerability has been discovered in the official Docebo LMS v6.9 web-application. The vulnerability allows remote attackers to inject own script code on the application-side of the affected application module. Remote attackers are able to inject malicious java script code into the main user module for contribution channel, user with low privileged are able to inject it through cloning links to share it with LMS admin and super users, other users and more. The vulnerability is located the vulnerable parameter `App7020Assets%5Btitle%5D` of the module `app[NUM]/index.php?r=assets/index`. The vulnerability allows restricted user acounts with low privileges to inject own malicious payload without secure parse to the application-side. The request method to inject is POST and the attack vector is persistent. The security risk of the application-side cross site vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Vulnerable Method(s): [+] POST Vulnerable Module(s): [+]app7020/index.php?r=axAssets/axSubmitAsset vulnerable Parameter(s): [+]App7020Assets%5Btitle%5D Proof of Concept (PoC): ======================= The application-side validation web vulnerability can be exploited by low privilege web-application user accounts with low user interaction. For security demonstration or to reproduce the application-side web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. A Users enrolls the LMS course and moves to https://SUBDOMAIN.localhost:8080/app[NUM]/index.php?r=assets/index Example: https://vulnlab.localhost:8080/app7020/index.php?r=assets/index 2. In a form called " Create a knowledge asset by sharing a link!" . type http://vuln-lab.com then share . Note: Wait couple of seconds to clone target target, then a popup message appears with title and description 3. In the title field , type this payload : '>