Sakai 10.7 Multiple Vulnerabilities

Title: Sakai 10.7 Multiple Vulnerabilities
Advisory ID: ZSL-2016-5358
Type: Local/Remote
Impact: Cross-Site Scripting, Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 21.08.2016
Summary
Sakai is a free, community source, educational software platform designed to support teaching, research and collaboration. Systems of this type are also known as Course Management Systems (CMS), Learning Management Systems (LMS), or Virtual Learning Environments (VLE).
Description
Sakai suffers from multiple reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Also there is a file disclosure vulnerability when calling custom tool script. It is not properly verified before being used to read files. This can be exploited to disclose contents of files from local resources.
Vendor
Apereo Foundation - https://www.sakaiproject.org
Affected Version
10.7 (Kernel 10.7)
Tested On
Apache-Coyote/1.1
Vendor Status
[29.06.2016] Vulnerability discovered.
[17.07.2016] Contact with the vendor.
[18.07.2016] Vendor responds giving security contact.
[18.07.2016] Contact with the security team.
[18.07.2016] Vendor responds asking more details.
[18.07.2016] Sent details to the vendor.
[19.07.2016] Vendor confirms the vulnerabilities.
[15.08.2016] Vendor releases fixed version 11.0 and 11.1 to address these issues.
[21.08.2016] Coordinated public security advisory released.
PoC
sakai_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://jira.sakaiproject.org/browse/SAK-26334
[2] https://jira.sakaiproject.org/browse/SAK-31523
[3] https://jira.sakaiproject.org/browse/SAK-31524
[4] https://jira.sakaiproject.org/browse/SAK-31525
[5] https://www.exploit-db.com/exploits/40286/
[6] https://cxsecurity.com/issue/WLB-2016080208
[7] https://packetstormsecurity.com/files/138458
[8] https://exchange.xforce.ibmcloud.com/vulnerabilities/116250
[9] https://exchange.xforce.ibmcloud.com/vulnerabilities/116282
Changelog
[21.08.2016] - Initial release
[31.08.2016] - Added reference [5], [6], [7], [8] and [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk