Pearson eSIS Enterprise Student Information System Stored XSS

Advisory ID: hag201477
Product: Pearson eSIS Enterprise Student Information System
Vendor: PearsonVue
Vulnerable Version(s): Any version
Advisory Publication: April 06, 2014
Vendor Notification: March 05, 2014
Public Disclosure: April 06, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-1454
Risk Level: Medium
CVSSv2 Base Score: 6.4 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Solution not yet released
Discovered and Provided: Tudor Enache from Help AG Middle East

about the vendor:
Pearson VUE provides a full suite of services from test development to data management, and delivers exams through the world’s most comprehensive and secure network of test centers in 175 countries. Pearson VUE is a business of Pearson (NYSE: PSO; LSE: PSON), the world's leading learning company.

Advisory Details:

During a Pentest Help AG discovered the following:
Stored cross-site scripting (XSS) vulnerability in the message board. Logged in as a Super User we managed to inject malicious cross site scripting payloads via enterprise messages. The payload would execute in the context of every user in the system. This could be used to hijack session, provide victims with phishing pages or completely compromise the computer that is executing the payload.

1) Stored Cross-Site Scripting (XSS) in Pearson eSIS Enterprise Student Information System: CVE-2014-1454

To reproduce the issue a Super User account is needed. After that is accomplished one needs to log in, go to the message board functionality of eSIS and create a new enterprise message using the HTML tab and add the following payload as a message:
<img src="https://esisplatform.example.com/aal/1&quot; onerror="alert(document.cookie)">

Hackers could compromise a Super User account and send a malicious message to every teacher/student using the platform. This can be anything from a session hijacker script to a malicious backdoor

Solution:

The vendor was notified, contact the vendor for the patch details

References:

[1] help AG middle East http://www.helpag.com/.
[2] Peason eSIS http://www.pearsonschoolsystems.com/products/esis/
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVEВ® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible.