Page MenuHomeVulnz

XSS vulnerability in



Arbitrary Javascript code can be injected into the{id}&noticiaub={noticia}, [...]/{noticia} and [...]/{noticia} pages via the common noticiaub parameter.

Reproduction steps

  1. Visit,, or
  2. The Javascript code alert(document.domain) will be executed 3 times.

Screenshot 2019-11-27 at 23.01.43.png (1×1 px, 65 KB)

What should be done?

Sanitize the noticiaub parameter before being rewritten to the HTML structure.

Attack scenario

An attacker could form a URL with a Javascript script which, when opened by another UB member, would send the current session cookies to the attacker (for instance the sensitive UBSess cookie in which can be accessed via HTTP).

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.


Universitat de Barcelona
Nov 27 2019, 11:44 PM

Event Timeline

avm99963 triaged this task as Priority-1 priority.Nov 27 2019, 11:46 PM
avm99963 created this task.
avm99963 changed the task status from New to Started.EditedJan 19 2020, 5:03 PM

Changing its status to "started", because SAE (Servei d'Atenció a l'Estudiant) told me on Jan 16, 2020:

estan treballant [en la vulnerabilitat] però s'han trobat amb problemes colaterals que estan intentant resoldre

On Feb 21, 2020, SAE confirmed that the vulnerability was fixed. From my end it also seems like it is fixed, so I'll be changing its status to verified and will publish it.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Feb 23 2020, 7:30 PM