CVE-2020-9008

MEDIUM

Blackboard Learn < 9.1 - Stored Cross-Site Scripting via Tile Widget in People Tool Profile Editor

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-9008. PoCs published by kyletimmermans.

AI-analyzed exploit summary This repository contains a detailed technical writeup for CVE-2020-9008, a stored XSS vulnerability in Blackboard Learn/CloudPeopleTool. It describes the vulnerability, affected versions, and steps to reproduce the exploit.

Description

Stored Cross-site scripting (XSS) vulnerability in Blackboard Learn/PeopleTool v9.1 allows users to inject arbitrary web script via the Tile widget in the People Tool profile editor.

Exploits (1)

nomisec WRITEUP 4 stars
by kyletimmermans · poc
https://github.com/kyletimmermans/blackboard-xss

This repository contains a detailed technical writeup for CVE-2020-9008, a stored XSS vulnerability in Blackboard Learn/CloudPeopleTool. It describes the vulnerability, affected versions, and steps to reproduce the exploit.

Classification
Writeup 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Blackboard Learn/CloudPeopleTool v9.1 Q2 2017 CU5
Auth required
Prerequisites: Access to a Blackboard profile with the Tile widget · Ability to inject script tags into the Tile widget
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Product x_refsource_misc
https://blackboard.com

Scores

CVSS v3 5.4
EPSS 0.0062
EPSS Percentile 45.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
blackboard/blackboard_learn 9.1 q2_2017 (6 CPE variants)
blackboard/blackboard_learn < 9.1
Published Feb 25, 2020
Tracked Since Feb 18, 2026