Metamorfosec Security Advisory METS-2018-004 A Cross-Site Scripting (XSS) vulnerability in Jenzabar v8.2.1 through 9.2.0 FIRST PUBLISHED: December 20, 2018 VERSION: 1.0 VENDOR: Jenzabar PRODUCT: Jenzabar VERSION AFFECTED: 8.2.1-9.2.0 (and maybe other versions) CVE-ID: CVE-2018-16778 PRODUCT DESCRIPTION: (from Official Website: https://www.jenzabar.com/about-us/) Jenzabar student information systems have been chosen more often than any other SIS over the past five years. Exclusively serving higher education, Jenzabar software and services are designed to drive higher performance in every department at your institution. Jenzabar collaborates with clients to make higher education amazing. FINDING: A Cross-site scripting (XSS) vulnerability in Jenzabar v8.2.1 through 9.2.0. Attacker could inject arbitrary web script or HTML via the query parameter (aka the Search Field). To exploit the vulnerability, someone must click the text link. PROOF OF CONCEPT: Payload used: CLICK ME Steps to reproduce: 1. Open a website that use Jenzabar 2. In the Search Field, please enter the payload 3. Press Enter 4. Please click "CLICK ME" to trigger the alert MITIGATION: Because of still no official patch from vendor, so that possible workaround is not click any suspicious link. ADVISORY TIMELINE: Aug 24, 2018 - First contact to vendor (no response) Aug 25, 2018 - Request CVE-ID Sep 10, 2018 - Get CVE-ID, i.e. CVE-2018-16778 (still Reserved) Nov 21, 2018 - Second contact to vendor (no response) Dec 4, 2018 - Third contact to vendor (no response) Dec 20, 2018 - Request to publish the CVE-ID, publish this advisory (v1.0) REVISION HISTORY: Version 1.0 (Dec 20, 2018) - First release REFERENCES: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16778 DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.