At ClassLink, our commitment to creating a secure digital environment for the educational community is woven into the fabric of our operations. Our pledge to Secure by Design principles is not just a statement; it's a fundamental approach to building and maintaining our software solutions. This dedication is exemplified through our transparent public disclosure of vulnerabilities, a practice we uphold with unwavering commitment.

By participating in this pledge, ClassLink is pledging publicly to the following actions:

Principle 1

Take Ownership of Customer Security Outcomes

Principle 2

Embrace Radical Transparency and Accountability

Principle 3

Lead From the Top

ClassLink’s Vulnerability Disclosure Policy

Security Audit Logs

ClassLink will make security audit logs available to its customers at no additional charge above the base cost of its software solutions to ensure that tenant administrators have the ability to see and react to security events affecting their production environment.

Security Audit Logs

Vulnerability Testing

ClassLink conducts internal and external quarterly vulnerability assessments, and authorizes volunteer testing. Findings are anonymously reported, promptly investigated, and recorded. Remediation priorities are set based on threat levels. Vulnerabilities unresolved after 90 days are continuously monitored.

Vulnerability Testing

Vulnerability Disclosure

ClassLink publicly discloses any mitigated vulnerabilities, including the disclosure of Common Vulnerabilities and Exposures (CVE). Each CVE entry will feature a Common Weakness Enumeration (CWE) field, providing insights into the root cause of the vulnerability for enhanced understanding and transparency.

Vulnerability Disclosure

Security Related Statistics & Trends

ClassLink analyzes diverse security data, including MFA adoption, DDoS incidents, breaches, downtime, policy violations, and more. Calculated statistics are published on a public webpage for transparency.

Security Related Statistics & Trends

Vulnerability List

Sort by...
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

S3 Bucket With CI/CD Scripts Was Public

Vulnerability #

CL-0023

Status

Resolved

Discovery Date

3/4/2024

Mitigation Date

3/4/2024

CWE Identifier

CWE-200

Description

An Amazon S3 bucket with bash scripts for the internal CI/CD pipeline was publicly readable on the internet.

Root Cause: CI/CD scripts were placed outside a private folder restricted to internal access.

Effect on Production

One script contained a username and password for a beanstalkapp service account, which could affect the CI/CD pipeline for projects on beanstalkapp. The service account has been decommissioned.

Affected Services:

Backend Services

Password Locker Leaks App Passwords While Editing

Vulnerability #

CL-0022

Status

Resolved

Discovery Date

2/7/2024

Mitigation Date

3/27/2024

CWE Identifier

CWE-200

Description

Passwords for LaunchPad applications could be leaked from the App Passwords window when viewing the HTML source directly.

Root Cause: App passwords were retrieved and decrypted by the frontend.

Effect on Production

No effect on production environment; certain apps that require passwords could have the password leaked.

Affected Services:

LaunchPad

ClassLink Administrator Can Create an Administrator Profile

Vulnerability #

CL-0021

Status

Resolved

Discovery Date

1/2/2024

Mitigation Date

2/1/2024

CWE Identifier

CWE-840, CWE-266

Description

A ClassLink Administrator could create another administrator profile within the CMC.

Root Cause: Improper server-side input validation was occurring.

Effect on Production

Creating another admin profile could confuse a ClassLink Administrator and make auditing admin actions more difficult.

Affected Services:

CMC

Roster Server Authentication Token Does Not Expire

Vulnerability #

CL-0020

Status

Resolved

Discovery Date

3/24/2023

Mitigation Date

5/2/2023

CWE Identifier

CWE-613

Description

Bearer tokens used to authenticate a user to Roster Server would not expire.

Root Cause: An UNIX timestamp was being set for the expiration date instead of a UTC timestamp, causing the token to never expire.

Effect on Production

A token that does not expire could be stolen by an attacker and utilized in a replay attack.

Affected Services:

Roster Server

Roster Console Test Auth Feature Can Port Scan Internal Network

Vulnerability #

CL-0018

Status

Resolved

Discovery Date

4/13/2023

Mitigation Date

4/19/2023

CWE Identifier

CWE-918

Description

The Test Auth feature on the File Exports page accepts internal IP addresses (e.g., 10.0.0.0/8) or hostnames and a port number and tests connectivity to the system. The server responses reveal whether an IP/Port combination is active.

Root Cause: Server-side rate limiting was not enforced.

Effect on Production

An attacker with Tenant Administrator (TA) credentials could port scan servers on an internal network during the reconnaissance phase of an attack to develop a network diagram.

Affected Services:

Roster Server

Heap Overflow Vulnerability on nginx

Vulnerability #

CL-0017

Status

Resolved

Discovery Date

4/23/2023

Mitigation Date

5/12/2023

CWE Identifier

CWE-122, CWE-1395

Description

nginx versions from 0.6.8 - 1.20.0 are vulnerable to Heap Overflow if using the nginx DNS resolver and sending queries to an attacker-controlled DNS server. ClassLink reviewed the system configuration and confirmed it is not using the nginx DNS resolver and is not exploitable. However, the newest versions of AL2 and AL2023 use the most recent patched nginx version, and all instances have been updated.

Root Cause: Amazon Marketplace machine images for default packages with known vulnerabilities need to be reviewed.

Effect on Production

ClassLink reviewed the system configuration and confirmed cloud instances used the system's default DNS resolver and not the nginx resolver. There was no effect on the production environment.

Affected Services:

Underlying Webserver

XSS in SAML Console

Vulnerability #

CL-0015

Status

Resolved

Discovery Date

1/2/2024

Mitigation Date

2/1/2024

CWE Identifier

CWE-79, CWE-80

Description

When creating a new connection on the SAML Console page, the Name attribute was not being sanitized for JavaScript and HTML attributes. Upon saving, this would trigger custom JavaScript whenever the SAML Console page was opened.

Root Cause: Cross-site scripting sanitization wasn't extended to the SAML Console page.

Effect on Production

No effect on production environment

Affected Services:

SAML Console

XSS in Public Portal

Vulnerability #

CL-0014

Status

Resolved

Discovery Date

1/2/2024

Mitigation Date

1/2/2024

CWE Identifier

CWE-79, CWE-80

Description

The Public Portal validator was not checking for HTML event handlers or JavaScript, which could be directly injected into an intercepted HTTP request. A ClassLink Administrator could intercept and modify their request to edit the Public Portal and include custom JavaScript, which would be executed on the Public Portal.

Root Cause: Cross-site scripting sanitization wasn't extended to the CMC Public Portal dashboard.

Effect on Production

No effect on production environment

Affected Services:

CMC

XSS in AUP

Vulnerability #

CL-0012

Status

Resolved

Discovery Date

9/22/2023

Mitigation Date

9/26/2023

CWE Identifier

CWE-79, CWE-80

Description

The title and message body of the Acceptable Use Policy (AUP) were not being sanitized for JavaScript and HTML attributes.

Root Cause: Cross-site scripting sanitization wasn't extended to the AUP title and message body.

Effect on Production

No effect on production environment

Affected Services:

CMC

My Files Limited Metadata

Vulnerability #

CL-0010

Status

Resolved

Discovery Date

9/12/2023

Mitigation Date

11/17/2023

CWE Identifier

CWE-284

Description

It is possible to manipulate the folder_id parameter requests to My Files to look up other arbitrary folder IDs. The server would return information, like the name of the folder and the names of files within it. However, it was not possible to download files the user did not have permission to access.

Root Cause: Access control measures should check for user permissions on all endpoints, not just downloading files.

Effect on Production

Metadata of files and folders within My Files could be leaked, specifically the names of folders and files.

Affected Services:

My Files

XSS in CMC Users

Vulnerability #

CL-0008

Status

Resolved

Discovery Date

9/12/2023

Mitigation Date

9/21/2023

CWE Identifier

CWE-79, CWE-80

Description

When editing or creating a new user via the Edit Users slide-over on the Users page, the First Name, Last Name, and Display Name value fields were not being sanitized for JavaScript and HTML attributes. After saving a user, JavaScript would trigger when viewing the dashboard.

Root Cause: Cross-site scripting sanitization wasn't extended to specific value fields on the Users dashboard.

Effect on Production

No effect on production environment

Affected Services:

CMC

XSS in CMC Beta Notifications Module

Vulnerability #

CL-0007

Status

Resolved

Discovery Date

9/12/2023

Mitigation Date

10/21/2023

CWE Identifier

CWE-79, CWE-80

Description

When previewing a notification in the Notifications Module (Beta), the preview window was not sanitizing the notification's title or body for cross-site scripting (XSS), which allows custom JavaScript. XSS filtering occurs on the dashboard and other notification windows, but it needs to be extended to the preview window, as well.

Root Cause: Cross-site scripting sanitization was not extended to the notification preview window.

Effect on Production

No effect on production environment

Affected Services:

CMC

XSS in CMC Groups

Vulnerability #

CL-0006

Status

Resolved

Discovery Date

9/12/2023

Mitigation Date

9/21/2023

CWE Identifier

CWE-79, CWE-80

Description

On the Groups page, the Wallpaper and Group Name fields were not sanitized for cross-site scripting (XSS) before reflecting the input into HTML. This allowed custom JavaScript to be injected into both parameters. When editing a group, custom JavaScript was triggered when the slide-over opened.

Root Cause: Cross-site scripting was not being checked on all possible inputs.

Effect on Production

No effect on production environment

Affected Services:

CMC

XSS in Notifications

Vulnerability #

CL-0005

Status

Resolved

Discovery Date

5/1/2023

Mitigation Date

7/26/2023

CWE Identifier

CWE-79, CWE-80

Description

Certain HTML attributes were not sanitized in the notification body, which can lead to custom JavaScript injection (XSS).

Root Cause: Cross-site scripting sanitization was not robust enough.

Effect on Production

No effect on production environment

Affected Services:

CMC

OneClick Extension Domain

Vulnerability #

CL-0004

Status

Resolved

Discovery Date

6/13/2023

Mitigation Date

8/17/2023

CWE Identifier

CWE-840

Description

A flaw in validation logic allowed the ClassLink OneClick Extension to run on non-ClassLink domains.

Root Cause: Improper URL filtering with a regular expression (RegEx) caused a flaw in validation logic.

Effect on Production

No effect on production environment

Affected Services:

OneClick Browser Extension

Directory Traversal Vulnerability Preprocessor

Vulnerability #

CL-0003

Status

Resolved

Discovery Date

3/24/2023

Mitigation Date

4/13/2023

CWE Identifier

CWE-22

Description

The Append Files option in the Roster Server Preprocessor allowed user-supplied input to create a path to retrieve files outside the DailyImport and SIS Import folders, but it did not properly strip path symbols (e.g., ../). The backend automatically appends a comma-separated value (CSV) file extension to the filename, which limits what files can be targeted. It was not possible to download arbitrary files via this endpoint.

Root Cause: Improper sanitization of filename characters allowed for path symbols (e.g., ../).

Effect on Production

There was no impact on production systems with only this exploit. While it is possible to reach arbitrary files with directory traversal, it is limited to CSV files and would require a Roster Server sync to read the file. These files can't be directly downloaded from the server.

Affected Services:

Roster Server

Directory Traversal Vulnerability Export Log

Vulnerability #

CL-0002

Status

Resolved

Discovery Date

3/24/2023

Mitigation Date

4/13/2023

CWE Identifier

CWE-22

Description

When exporting logs from Roster Server, the filename parameter was not being stripped of path characters. This allowed for directory traversal outside the log directory. The OneRoster®/Roster Server user does not run as root.

Root Cause: Improper sanitization on the filename parameter allowed for path characters.

Effect on Production

Directory traversal on the Amazon Web Services (AWS)-hosted Roster Server instances can reveal files outside the Roster Server log directory.

Affected Services:

Roster Server

XSS on CMC User's Page

Vulnerability #

CL-0001

Status

Resolved

Discovery Date

3/24/2023

Mitigation Date

5/1/2023

CWE Identifier

CWE-79, CWE-80

Description

HTML is accepted for values (e.g., Display Name, First Name, Last Name) in the Edit User slide-over on the Users page. However, certain HTML attributes were not sanitized before being injected into the slide-over, triggering custom JavaScript.

Root Cause: Cross-site scripting sanitization was not checking for HTML attributes.

Effect on Production

No effect on production environment

Affected Services:

CMC