CVE-2023-6359

Name of the Vulnerable Software and Affected Versions Alumne LMS version 4.0.0.1.08

Description A Cross-Site Scripting (XSS) issue has been found in Alumne LMS, where an attacker could exploit the localidad parameter to inject a custom JavaScript payload. This could allow the attacker to partially take over another user's browser session due to the lack of proper sanitization of the localidad field on the "/users/editmy" page. The vulnerability can be exploited by a remote attacker to conduct Cross-Site Scripting attacks.

Recommendations For version 4.0.0.1.08, as a temporary workaround, consider disabling the localidad parameter in the "/users/editmy" page until a patch is available. Restrict access to the "/users/editmy" page to minimize the risk of exploitation. Avoid using the localidad parameter in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.