Jakub Toczyski

**Name of the Vulnerable Software and Affected Versions** ProjectsAndPrograms school-management-system (affected versions not specified) **Description** Stored Cross-Site Scripting (XSS) exists in multiple attributes of students and teachers objects. This allows an authorized attacker, such as a teacher or administrator, to inject malicious JavaScript that executes in the browsers of other users. When combined with a flaw allowing unauthenticated access to backend endpoints, a remote attacker without privileges can inject and execute arbitrary JavaScript. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ProjectsAndPrograms school-management-system (affected versions not specified) **Description** The software uses predictable credentials by generating passwords for students and teachers based solely on the user's date of birth. Additionally, the application does not require users to change their password during the first login, which allows attackers to guess or derive valid credentials to gain unauthorized account access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.