CVE-2020-35698

Name of the Vulnerable Software and Affected Versions Thinkific Thinkific Online Course Creation Platform version 1.0

Description The issue is related to a Cross Site Scripting (XSS) vulnerability, allowing an attacker to execute arbitrary code remotely. The vulnerable component is the source code of the website CMS used by the Thinkific Platform. To exploit the vulnerability, a user needs to visit a specifically crafted link, such as "https://hacktify.thinkific.com/account/billing?success=%E2%80%AA%3Cscript%3Ealert(1)%3C/script%3E". The API endpoint "/account/billing" is affected, with the success parameter being vulnerable to XSS attacks. Thousands of websites are potentially affected due to the vulnerable code in the CMS.

Recommendations For Thinkific Thinkific Online Course Creation Platform version 1.0, consider disabling access to the "/account/billing" API endpoint until a patch is available. As a temporary workaround, restrict the use of the success parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.