CloudSchool v3.0.1 is vulnerable to Cross Site Scripting (XSS). A normal user can steal session cookies of the admin users through notification received by the admin user.
CloudSchool v3.0.1 in GitHub repo hrshadhin/school-management-system This vulnerability causes the attacker to execute XSS payloads in the session of another user which may result to cookie stealing or executing malicious scripts in the victim’s browser.
In this scenario there are two users where the user “superadmin” has all the permission to the application also the victim in this scenario and the user “admin1”, the attacker in this scenario has only the permission to Create,Edit,Delete Employees and users.
Reported On: 25th November 2022
Made Public On: 22th November 2022
Fixed On: Not Fixed