CVE-2020-9439

Name of the Vulnerable Software and Affected Versions Uncanny Owl Tin Canny LearnDash Reporting versions prior to 3.4.4

Description The issue allows authenticated remote attackers to inject arbitrary web script or HTML via several parameters, including the search key GET parameter in TinCan Content List Table.php, message GET parameter in licensing.php, and multiple tc filter parameters in reporting-admin-menu.php. These parameters include tc filter group, tc filter user, tc filter course, tc filter lesson, tc filter module, tc filter action, tc filter data range, and tc filter data range last.

Recommendations For versions prior to 3.4.4, update to version 3.4.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected parameters, such as search key, message, and the tc filter parameters, until a patch is applied. Avoid using these parameters in the affected API endpoints, specifically in TinCan Content List Table.php and licensing.php, until the issue is resolved.