James Connolly

**Name of the Vulnerable Software and Affected Versions** ClassLink OneClick Extension versions through 10.8 **Description** A Universal Cross Site Scripting (UXSS) issue allows remote attackers to inject JavaScript into any webpage. This issue exists due to an incomplete fix for a previous problem. **Recommendations** For ClassLink OneClick Extension versions through 10.8, update to a version that fully addresses the incomplete fix issue to prevent JavaScript injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ClassLink OneClick Extension versions through 10.7 **Description** A Universal Cross Site Scripting (UXSS) issue allows remote attackers to inject JavaScript into any webpage. This is because a regular expression, which validates whether a URL is controlled by ClassLink, is not present in all applicable places. **Recommendations** For ClassLink OneClick Extension versions through 10.7, update to a version that includes the necessary regular expression validation to prevent JavaScript injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.