There's an XSS vulnerability in the page https://www.ub.edu/acad/graus/alumnes/zNoPhpSess.php via the codi GET parameter.
- Visit https://www.ub.edu/acad/graus/alumnes/zNoPhpSess.php?codi=%3Cscript%3Eeval(%22al%22%2B%22ert(document.domain)%22)%3C/script%3E.
What should be done?
Sanitize the codi parameter properly.
Proof of concept of a phishing attack possible due to this vulnerability:
- Login as a student at Món UB (https://www.ub.edu/portals/monUB/).
- Visit this link. It will show a dialog with the student's name.
Due to the COVID-19 situation, this bug is subject to a more relaxed 120 day disclosure deadline instead of the normal 90 days deadline. If 120 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.