CVE-2018-20858

Root

Cause

The Recommender XBlock, an edX component for recommendations, suffered from a stored cross-site scripting (XSS) vulnerability before July 18, 2018. The issue stems from insufficient output escaping in the template rendering. Specifically, the descriptionText field was not sanitized via the h filter, allowing attacker-controlled HTML and JavaScript to be stored and later executed in users' browsers [1][2].

Exploitation

An attacker with the ability to submit content (e.g., via a course recommendation) can inject malicious scripts into the descriptionText parameter. No authentication is required beyond standard course access, and the attack can be performed over the network. The stored payload is then rendered when other users view the recommendation, leading to execution in their browser context [2][3].

Impact

Successful exploitation enables arbitrary JavaScript execution in the context of the vulnerable application. This can lead to session hijacking, data theft, or defacement. The vulnerability has a CVSS score that reflects medium-to-high severity due to the potential for account takeover [1][4].

Mitigation

The fix was implemented in pull request #2 by adding the expression_filter="h" attribute to the Mako template, ensuring proper HTML escaping of user-supplied data [2]. All users are strongly advised to update to the version after July 18, 2018, or apply the corresponding patch.