Relate learning and teaching system versions prior to 2024.1 suffer from a persistent cross site scripting vulnerability.
3a5eecac3aca18d20a7a031bd440baad2966d7f4f2e4228a13dd171b4d91f376# Exploit Title: Relate Learning And Teaching system Version before 2024.1 Stored XSS
# Date: 18/04/2024
# Exploit Author: kai6u
# Vendor Homepage: https://github.com/inducer/
# Software Link: https://github.com/inducer/relate
# Affected Version:before 2024.1 (https://github.com/inducer/relate/commit/2fdbd4480a2d0a45c746639be244a61a0d4112b6)
# Fixed Version:2024.1 (https://github.com/inducer/relate/commit/d9fa7dcb84b8e5a64ce78ced4f56cdd61c0d59aa)
# Tested on: Ubuntu 22.04
# Summary:
Stored XSS in Relate
# Description:
* 【Prerequisite】
* The attacker has stolen the privilege to answer the exam content. For example, attacker is logged in as a student and have obtained Exam tickets to take the exam.
* The exam is using the following question yaml file.
* https://github.com/inducer/relate-sample/blob/main/questions/multi-question-example.yml
* Stored XSS is performed when the payload is stored and the results are referenced when the exam content is submitted.
1) First, Attacker answer question with below payload.
* Paylod:
* `<script>alert(1)</script>`
2) Next, Course Administrator or Instructor logged in and check answer of this student.( with Exam Analytics view)
* Access to quiz_start/inlinemultin url.
3) Executed Payload and Alert was popped up.
* An attacker can use this feature to force arbitrary requests via JavaScript on users who can view the results.( The content of the request to be enforced and the source code of the malicious JavaScript are described below. )
# References
https://portswigger.net/web-security/cross-site-scripting/stored
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed