CVE-2023-38881

Name of the Vulnerable Software and Affected Versions openSIS Classic version 9.0

Description A reflected cross-site scripting issue allows remote attackers to execute arbitrary JavaScript in a user's web browser. This is achieved by including a malicious payload into any of the calendar id, school date, month, or year parameters in 'CalendarModal.php'.

Recommendations For version 9.0, consider disabling access to 'CalendarModal.php' until a patch is available to prevent exploitation. Restrict input for the calendar id, school date, month, and year parameters to minimize the risk of arbitrary JavaScript execution.