-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2026-006 
Product:                   Stud.IP
Manufacturer:              The StudIP Core Group (OpenSource)
Affected Version(s):       Confirmed by developers for 6.0 and all older versions
Tested Version(s):         5.3 
Vulnerability Type:        Cross-Site Scripting (CWE-79)
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2025-09-15
Solution Date:             2025-09-15
Public Disclosure:         2026-03-19
CVE Reference:             Not yet assigned
Author of Advisory:        Marcel Schneider, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Stud.IP is an e-learning platform which includes many functionalities for
academic staff to manage courses and interact with their students.

The manufacturer describes the product as follows (see [1]):

"Stud.IP is the modern learning management system and a central component 
of every digital education concept."

Due to trusting client-provided data in a specific function, Stud.IP is
vulnerable to persistent cross-site scripting (PXSS).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The platform allows the creation of questionnaires on a wide range of topics
to interact with course participants and gather feedback. These questionnaires
can include various types of components, such as free-text questions. The
vulnerability specifically affects this free-text question type.

If participants embed JavaScript code within the title field of their profile
and then take part in such questionnaires, the injected code will be executed
in the context of other users when the questionnaire results are viewed.

This could allow attackers to perform actions on behalf of other logged-in
users (including those with elevated privileges), manipulate site content in
the victim's browser, steal user sessions, or exploit the victim's hardware
to run JavaScript-based cryptocurrency miners for anonymous financial gain.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Access the following URL while authenticated:
   https://<DOMAIN>/dispatch.php/settings/account

2. Add a <script> tag containing JavaScript to the title field inside your
   profile. 
   Example: <script>alert('XSS by SYSS')</script>

3. Complete any questionnaire that includes a free-text question. The actual
   content of the questionnaire answers is irrelevant — only the malicious
   title value in the profile matters.

4. When an authorized user views the questionnaire results, the title of the
   participating user is injected into the page source without filtering or
   escaping, for example: "<script>alert('XSS by SYSS')</script> Marcel Autor
   Schneider, <script>alert('XSS by SYSS')</script>".

This results in the injected code being executed in the context of the
viewing user.

Questionnaires may be embedded in a user's profile page, inside a course, or
published via an external link. Depending on how they are embedded, results
containing malicious code can be retrieved from the following endpoints:
 /dispatch.php/profile?cid=<course-id>&username=<username>&questionnaire_showall=1#questionnaire_area
 /dispatch.php/course/overview?cid=<course-id>
 /dispatch.php/questionnaire/evaluate/<questionaire-ID>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

This vulnerability has been fixed in all supported versions 5.4.10, 5.5.7,
6.0.1 and later. Older versions from 5.0 to 5.3 need to be upgraded or
manually fixed in code, as can be seen in https://gitlab.studip.de/studip/studip/-/commit/8799317f33abc1b79f5c0b7ea3ecc3ab5ebd485a.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-09-15: Vulnerability reported to manufacturer
2025-09-15: Solution discussed and implemented
2025-09-19: Time for public disclosure planned (six months)
2026-03-19: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Stud.IP homepage
    https://www.studip.de/
[2] Stud.IP GitLab
    https://gitlab.studip.de/studip/studip
[3] SySS Security Advisory SYSS-2026-006
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2026-006.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by:

E-Mail: marcel.schneider@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Marcel_Schneider.asc
Key ID: 0xDF63433B76BB7EA5
Key-Fingerprint: 6092 1FFD EB40 B642 9FFF  6E5D DF63 433B 76BB 7EA5 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEYJIf/etAtkKf/25d32NDO3a7fqUFAmm6KP8ACgkQ32NDO3a7
fqUhmQwArBIisC/UGcOx1MMZVOG5V/EIztXhljTef1huIhn6HH72g8Jx342ypv3D
jYg7zNwWZBGC2EsXGsFWOFe7aCDkT72+zC9Nt1N6h/hiTsBHB5ZJShCWIcO3gNPx
5N/mS14OKqPSJ4P20d5kxw0CkKAhhelSeUOEBfdJkAN9iuRkbZMsRTZien5AdT27
JNpfaWBruBs/a4UmFtEQ2X3MW4Sw407RxRpEFwD7ywen4CD2mniH0TYA54YdDtIw
B2PAJ/6nJsQp5e3Vzd5v4NtCTGMHbcm1QdCvWXaFJziPutnjBVouKGO9lO/0Mwe9
XszH+omQ7oMcIceWI/900RSX2MOQl+6LP6IfczntpAIDnQPgYIeV8BOZxZQMsFTn
y/ovt212VV5rAn6Mto+/eDd0yne1lef9bSJYyBF60o8FzkbgJMjY9tyYd2KefVmc
CCWiTQLUVFQuqI+e+J4i+e6+l7dyYNkl5QSsnrfULjEbvyB+rB+3+x4UahRvk93I
T0qb3jGu
=IP7s
-----END PGP SIGNATURE-----