search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Coursemill Learning Management System contains multiple vulnerabilities

Vulnerability Note VU#960908

Original Release Date: 2013-08-30 | Last Revised: 2013-08-30


Coursemill Learning Management System version 6.6 and 6.8 contains multiple vulnerabilities.


CWE-472: External Control of Assumed-Immutable Web Parameter - CVE-2013-3599

In Coursemill 6.6, when loading the home page (/coursemill/cm0660/home.html) the response to the userlogin.jsp request returns the user role as a parameter (passed to the client for processing). In Coursemill 6.8, this has been partially remediated. Privilege escalation is still possible without authentication.

CWE-472: External Control of Assumed-Immutable Web Parameter - CVE-2013-3600
In Coursemill 6.6, the userid parameter is exploitable in certain functions. Using the "Edit Profile" function and replaying the request can result in access to another user (or privileged user's) information. It is unknown if this is remediated in version 6.8.

CWE-250: Execution with Unnecessary Privileges - CVE-2013-3601
In Coursemill 6.6, the application relies on JavaServer Pages (JSP) for user-executed functions. These function calls take an “op” parameter that tells the JSP which operation to run. Operations that should be restricted to administrators were found to be executable by users in a non-administrative Student role. This has been remediated in Coursemill 6.8

CWE-89: Improper Neutralization of Special Elements used in a SQL Command ('SQL Injection') - CVE-2013-3602
In Coursemill 6.6, the following JSP call is intended to retrieve information about uploaded documents:

The docID parameter passes the numeric value of the document to the server which then retrieves the document data from the database. The application passes SQL statements directly from the user to the SQL server for processing. This has been remediated in Coursemill 6.8

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2013-3603
In Coursemill 6.6, the application was observed to reflect error messages containing user-provided URL input directly to the browser without proper input validation and output encoding. This allows for a reflected XSS attack, whereby an attacker can pass a crafted link to a user which when clicked, executes malicious JavaScript to attack the user.

This is partially remediated in Coursemill 6.8. The application is still vulnerable to reflected XSS due to insufficient input validation and output encoding. The application attempts to remove event attributes by keyword - anything with the letters “on” (such as “onmouseover”) are removed. This can be defeated by inserting null bytes (%00) in between the “o” and the “n” which will evade the filter and allow the browser to execute the script. The additional validation step of removing closing brackets (“>” ) is also insufficient because some browsers, such as Internet Explorer, will tolerate lack of closing brackets and execute the HTML regardless.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2013-3604
In Coursemill 6.6 and 6.8, a stored XSS attack is possible in several application inputs.
Coursemill 6.8 adds a filter for closing quotes, but does not filter other input (such as %22)

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2013-3605
Coursemill 6.6 relies on cookie values to authenticate a request from a user, rendering it vulnerable to CSRF attacks. Coursemill 6.8 adds CSRF tokens but they are constructed using predictable values (timestamps of the user).


An attacker can conduct a cross-site scripting, cross-site request forgery, or privilege escalation attack, which may result in information leakage or privilege escalation.


Apply an Update
Coursemill version 6.8 provides some remediation to these issues.

Vendor Information


Trivantis Affected

Notified:  June 12, 2013 Updated: August 30, 2013



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N
Temporal 5.8 E:POC/RL:U/RC:C
Environmental 1.4 CDP:N/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Mike Czumak for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2013-3599, CVE-2013-3600, CVE-2013-3601, CVE-2013-3602, CVE-2013-3603, CVE-2013-3604, CVE-2013-3605
Date Public: 2013-08-30
Date First Published: 2013-08-30
Date Last Updated: 2013-08-30 21:33 UTC
Document Revision: 18

Sponsored by CISA.