• Security and policies

Vulnability reports log

July 2017

  • MINORFIXED Minor XSS vulnability in the 'Finish My Account' screen on the fields 'first name' and 'last name', allowing user to pass in certain specific Javascript expressions.

January 2017

  • MINORFIXED When adding content through the WYSIWYG editor in multiple locations in the Courses module, it was possible to add malicious <script> tags.
    Version affected: beta-2
    Communities affected: StartupSpirit
    Version fixed: 2.0.0

August 2016

  • MINORFIXED A theoretical XSS attach was possible through the GET-parameter community on login pages, of which the value was printed in the resulting HTML without sanitation. This type of attack is improbable as it would have yielded any interesting information: the user wasn’t signed in yet.
    Communities affected: all

December 2014

  • MEDIUMFIXED When entering an empty username in the login form of communities that use external LDAP authentication, a request to the LDAP would still be sent, which allowed a theoretical DDoS attach, as some LDAP servers have rate limiting based on the user that is singing in.
    Communities affected: Bernardinuscollege

September 2014

  • HIGHFIXED Custom domain names do not use SSL, which allows network spoofing to find passwords, especially on large corporate networks with many users logging in to Includable every few minutes.
    Communities affected: Bernardinuscollege
    Implemented solution: SSL is required for all authentication attempts (update: all custom domains are now automatically provided with a SSL certificate).