Vulnerability Name: Multiple cross-site scripting (XSS) vulnerabilities in Tin Canny Reporting for LearnDash CVE Number: CVE-2020-9439 Discoverer: Michael Ritter Vendor of Product: Uncanny Owl Affected Product Code Base: Uncanny Owl Tin Canny LearnDash Reporting before 3.4.4 Attack Type: Remote Vulnerability Type: Cross-Site Scripting (XSS) Vulnerability Impact: Code Execution, Information Disclosure Attack Vector: To exploit this vulnerability, a user must navigate to the Uncanny Owl Tin Canny LearnDash Reporting plugin. Description: Multiple Cross-site scripting (XSS) vulnerabilities in Uncanny Owl - Tin Canny LearnDash Reporting 3.3.7 allows authenticated remote attackers to execute arbitrary web scripts or HTML via the: - search_key GET Parameter in TinCan_Content_List_Table.php - message GET Parameter in licensing.php - tc_filter_group in reporting-admin-menu.php - tc_filter_user in reporting-admin-menu.php - tc_filter_course in reporting-admin-menu.php - tc_filter_lesson in reporting-admin-menu.php - tc_filter_module in reporting-admin-menu.php - tc_filter_action in reporting-admin-menu.php - tc_filter_data_range in reporting-admin-menu.php - tc_filter_data_range_last in reporting-admin-menu.php Reporting Timeline: - 28/02/2020: Vulnerability registered - 28/02/2020: Vulnerability reported to Uncanny Owl - 19/08/2020: Vulnerability patched with the release of Tin Canny Reporting for LearnDash 3.4.4 - 22/12/2020: Public disclosure Remediated Product Version: Uncanny Owl Tin Canny LearnDash Reporting 3.4.4 Reference: https://www.uncannyowl.com/knowledge-base/tin-canny-learndash-reporting-changelog/