CVE-2019-14696
published 2019-08-06CVE-2019-14696: Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/index.php?r=students/guardians/create id parameter.
PriorityP343medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
15.44%
96.4th percentile
Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/index.php?r=students/guardians/create id parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-school | open-school | — | — |
| open-school | open-school | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting
exploitdb·2019-08-08·CVSS 6.1
CVE-2019-14696 [MEDIUM] Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting
Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting
---
# Exploit Title: [title]
# Date: [2019 08 06]
# Exploit Author: [Greg.Priest]
# Vendor Homepage: [https://open-school.org/]
# Software Link: []
# Version: [Open-School 3.0/Community Edition 2.3]
# Tested on: [Windows/Linux ]
# CVE : [CVE-2019-14696]
Open-School 3.0, and Community Edition 2.3, allows XSS via the /index.php?r=students/guardians/create id parameter.
/index.php?r=students/guardians/create&id=1[inject JavaScript Code]
Example:
/index.php?r=students/guardians/create&id=1alert("PWN3D!")alert("PWN3D!")
Nuclei
Open-School 3.0/Community Edition 2.3 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2019-14696 [MEDIUM] Open-School 3.0/Community Edition 2.3 - Cross-Site Scripting
Open-School 3.0/Community Edition 2.3 - Cross-Site Scripting
Open-School 3.0, and Community Edition 2.3, allows cross-site scripting via the osv/index.php?r=students/guardians/create id parameter.
Template:
id: CVE-2019-14696
info:
name: Open-School 3.0/Community Edition 2.3 - Cross-Site Scripting
author: pikpikcu
severity: medium
description: Open-School 3.0, and Community Edition 2.3, allows cross-site scripting via the osv/index.php?r=students/guardians/create id parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
remediation: |
To remediate this issue, it is recommended to implement proper in
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153984/Open-School-3.0-Community-Edition-2.3-Cross-Site-Scripting.htmlhttps://open-school.orghttps://pastebin.com/AgxqdbAQhttp://packetstormsecurity.com/files/153984/Open-School-3.0-Community-Edition-2.3-Cross-Site-Scripting.htmlhttps://open-school.orghttps://pastebin.com/AgxqdbAQ
2019-08-06
Published