CVE-2017-17904

Vulnerability

FS Lynda Clone (last version as of the report) contains cross-site scripting (XSS) vulnerabilities. A reflected XSS exists in the /tutorial/ endpoint via the keywords POST parameter. A stored XSS exists in the /user/edit_profile endpoint via the edit_profile_first_name POST parameter. The application lacks CSRF tokens, making the stored XSS exploitable via cross-site request forgery. [1]

Exploitation

For reflected XSS, an attacker sends a crafted POST request to /tutorial/ with a payload in the keywords parameter, e.g., 123'"><svg/onload=alert(/XSS/)><'". For stored XSS, the attacker submits a POST to /user/edit_profile with a malicious edit_profile_first_name value, e.g., Jhon'"><svg/onload=alert(/xss/)><'". Because there is no CSRF protection, the stored XSS can be triggered by tricking an authenticated user into visiting a malicious page that submits the form on their behalf. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser. For reflected XSS, the attack is same-origin but can be used to steal session cookies or perform actions on behalf of the victim. Stored XSS persists in the user's profile, so any visitor to the profile page will execute the script, enabling broader attacks (e.g., session hijacking, defacement, or data theft). Combined with CSRF, the attacker can silently modify profile data without the victim's knowledge. [1]

Mitigation

No official fix has been released. The vendor (FS Lynda Clone) has not provided a patched version as of the publication date. Mitigations include implementing proper input validation and output encoding for all user-supplied data, adding CSRF tokens to all state-changing forms, and using a content security policy (CSP). [1]