Vulnerability Lab researchers discovered remotely exploitable cross site scripting vulnerabilities in Blackboard Mobile Learn v9.
The education platform’s mobile application is reportedly vulnerable to a number of persistent input validation vulnerabilities that could give remote attackers the ability to inject malicious code on the application side. The vulnerability is located in the application question-answer module. If exploited successfully, could lead to persistent session hijacking or stable context manipulation, Vulnerability Labs discovered.
Blackboard is a widely used education platform on which instructors post and students access assignments, notes, test scores and discussion forums.
Seclist.org reported that the vulnerability in the Mobile Learn mobile application allows attackers to inject malicious scripts into the answers to a survey created by the administrator of a given Blackboard page. Vulnerabilty Laboratory found that the exploit worked if entered as Smart Text and HTML, but has not yet been tested on regular text.
Seclists.org claims that the vulnerability can be fixed by requiring validation for survey answer inputs, parsing the sections where script is getting executed, and filtering for suspicious words like ‘script’ and ‘iframe.’
The vulnerability impact is estimated at medium.