Technical Advisory

Through sharp, technical and insightful analysis, the Payatu Team is constantly on the lookout for vulnerabilities and threats. This section exhibits a few of our findings.

Technical Advisory

Through sharp, technical and insightful analysis, the Payatu Team is constantly on the lookout for vulnerabilities and threats. This section exhibits a few of our findings.

CloudSchool v3.0.1 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

CloudSchool v3.0.1 is vulnerable to Cross Site Scripting (XSS). A normal user can steal session cookies of the admin users through notification received by the admin user.

Description

CloudSchool v3.0.1 in GitHub repo hrshadhin/school-management-system This vulnerability causes the attacker to execute XSS payloads in the session of another user which may result to cookie stealing or executing malicious scripts in the victim’s browser.

Attack scenario:
In this scenario there are two users where the user “superadmin” has all the permission to the application also the victim in this scenario and the user “admin1”, the attacker in this scenario has only the permission to Create,Edit,Delete Employees and users.
The vulnerability causes the use of a payload “<script>alert(141)</script>” by the user “admin1” to create an employee with the name as the payload. After creating the employee, a notification is raised when we login to the app as the “superadmin” user. Due to the lack of sanitization of the input the Javascript payload gets executed in the session of the “superadmin” user. This behavior can be replicated in any scenarios where the victim user receives a notification.

CVE-ID

CVE-2022-46087

Vendor

hrshadhin/school-management-system

Product

CloudSchool v3.0.1

Disclosure Timeline

Reported On: 25th November 2022

Made Public On: 22th November 2022

Fixed On: Not Fixed

Credits

Soummya Mukhopadhyay

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Let’s make cyberspace secure together!

Requirements

What our clients are saying!

Trusted by