CVE-2021-29663

Name of the Vulnerable Software and Affected Versions CourseMS version 2.1

Description The issue allows an attacker with Admin account access to create a Job Title in the Site area, specifically through the name parameter in admin/add jobs.php, and insert a cross-site scripting (XSS) payload. This payload will execute when anyone visits the registration page.

Recommendations For CourseMS version 2.1, consider restricting access to the admin/add jobs.php endpoint to prevent attackers from inserting XSS payloads through the name parameter until a fix is available. As a temporary workaround, monitor and validate all input for the name parameter in the admin/add jobs.php endpoint to prevent XSS payload insertion.