Security Advisory B004 - Dokeos Input Validation Holes Permit Cross-Site Scripting Attacks
==================

Release Date: Jan 11 2004

Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Dokeos software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Vendor URL: http://www.dokeos.com/

Vulnerable Versions: Tested on Dokeos 1.5.5, all previous versions vulnerable as well.

Description:
Dokeos is a free software translated in 31 languages and helping more than 1000 organisations worldwide to manage Learning and Collaboration activities.
A user can create a new course and include some (malicious) code in various input fields (course name, type,...). When another user browses the course the (malicious) code will be executed by the visitor's machine.

Solution/Status:
Vendor has been contacted. No patch available.