- Sign in in order to access any UB service (for instance, https://campusvirtual.ub.edu/)
- Open the following link: https://sso.ub.edu/CAS/index.php/login?service=%3Cscript%3E%0Aeval(%22ale%22%2B%22rt(document.cookie)%22)%3B%0A%3C%2Fscript%3E
- You will see the content of, at least, 2 cookies: UbSes3 and UBSess.
What should be done?
The adAS software should be updated to the latest version, as this vulnerability was fixed on November 29, 2018, as mentioned in issue ADAS-1524.
In case the update cannot be done, there should be a temporary fix which consists in sanitizing the service parameter.
An attacker could send a URL to another UB member which, when opened, would send the previously mentioned session cookies to the attacker.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.