PT-2019-8928 · Blackboard · Blackboard Learn
Published
2019-11-18
·
Updated
2019-11-25
·
CVE-2018-13257
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Blackboard Learn version 2018-07-02
Description
The issue concerns HTTP host header spoofing during Central Authentication Service (CAS) service ticket validation in the bb-auth-provider-cas authentication module. This allows for a phishing attack from the CAS server login page.
Recommendations
For Blackboard Learn version 2018-07-02, consider restricting access to the bb-auth-provider-cas authentication module until a fix is available. As a temporary workaround, restrict the use of the CAS service ticket validation to minimize the risk of exploitation.
Exploit
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Blackboard Learn