Reflected XSS in Xerte

So this is part of three vulnerability’s found over a longer period of time, the first one is reflected XSS. “Xerte is an award-winning suite of browser-based tools that allow anyone with a web browser to create interactive learning materials quickly and easily.” – Xerte is an OpenSource project and can be found at:

While browsing the code base i found the ability to print a project (https://<domain hosting Xerte>/print/). When printing a project the user has to provide the URL to their project and submit the request. The ?link= parameter is not checked and completely reflected on the webpage after submitting. Providing the following ‘link’ results in reflected XSS:


The presence of this vulnerability was successfully tested on six instances of Xerte.

Time Line: