CVE-2021-29663

Vulnerability

CourseMS (Course Registration Management System) version 2.1 is affected by a stored cross-site scripting (XSS) vulnerability in the admin/add_jobs.php script. An attacker with administrative access can inject arbitrary JavaScript into the name parameter when creating a Job Title. The payload is stored in the database and later rendered unsanitized on the registration page, affecting all visitors. [1][2]

Exploitation

An attacker must have an active Admin account in CourseMS 2.1. The attacker logs in, navigates to the Site area, and selects "Add Job Title." In the name field, they insert a malicious payload (e.g., ``). After saving, any user who visits the registration page will trigger the payload in their browser. No additional user interaction is required beyond viewing the page. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any visitor's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack requires admin privileges to inject, but the impact affects all unauthenticated and authenticated users who access the registration page. [2]

Mitigation

No official patch has been released for CourseMS 2.1 as of the publication date. The project appears unmaintained. Mitigations include restricting admin account access to trusted users only, implementing input sanitization on the name parameter, or disabling the Job Title feature. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1][2]