Allen.Liu

**Name of the Vulnerable Software and Affected Versions** ShinHer StudyOnline System (affected versions not specified) **Description** The issue concerns the `List Add` function of the message board in ShinHer StudyOnline System, which fails to filter special characters in the `title` parameter. This allows remote attackers to inject JavaScript and execute stored XSS attacks after logging in with a user's privilege. **Recommendations** For ShinHer StudyOnline System, consider disabling the `List Add` function until a patch is available to prevent the injection of JavaScript and execution of stored XSS attacks. Restrict access to the message board to minimize the risk of exploitation. Avoid using the `title` parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ShinHer StudyOnline System (affected versions not specified) **Description** The issue concerns the "Teacher Edit" function, which lacks authority control. After logging in with a user's privilege, remote attackers can access and edit other users' credentials and personal information by crafting URL parameters. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ShinHer StudyOnline System (affected versions not specified) **Description** The issue concerns the "Study Edit" function, which lacks proper permission control. This allows remote attackers to access and edit other users' tutorial schedules by manipulating URL parameters after logging in with user privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ShinHer StudyOnline System (affected versions not specified) **Description** The issue concerns the "List View" function not being under authority control, allowing remote attackers to access other users' message board content by manipulating URL parameters after logging in with user privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.