CVE-2014-1877

Vulnerability

CVE-2014-1877 describes multiple stored cross-site scripting (XSS) vulnerabilities in Dokeos version 2.1.1. The application fails to sanitize user-supplied input before storing it in the database and later displaying it on several pages. Affected fields include Phone, Street, Address line, Zip code, and City on main/auth/profile.php; the Subject field on main/social/groups.php; and Message body on main/messages/view_message.php. Any user with the ability to edit their profile or create group posts and messages can inject arbitrary script code [2][3].

Exploitation

An attacker must have a valid account on the Dokeos instance and be able to access the vulnerable forms. For profile fields, the attacker edits their profile via main/auth/profile.php and injects a JavaScript payload (e.g., ><iframe/onload=alert(document.domain)>). After the profile is saved, any other user who views the attacker's profile (URL pattern /main/social/profile.php?u=3) triggers the stored script in their browser. Similarly, for group subjects and private messages, the attacker posts crafted values that execute when other users view the corresponding group page or message [2].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser session, potentially leading to session hijacking, defacement, or redirection to malicious sites. The attacker does not need elevated privileges beyond a normal user account, and the compromise directly affects anyone viewing the attacker's profile, groups, or messages [2][3].

Mitigation

No official patch or fixed version from Dokeos is mentioned in the available references. As of the publication date (March 2014), administrators should consider upgrading to a later version if available, or apply input validation and output encoding for all user-supplied fields. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [2][3].