PT-2021-18607 · Unknown · Web-School Erp

0Xrayan

Published

2021-04-08

Updated

2021-04-13

CVE-2021-30113

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Web-School ERP version 5.0

Description A blind XSS issue exists, allowing an attacker to inject JavaScript code into the event name and description fields via the Add Events feature. This code is stored on the page and executed when a visitor views the event, potentially sending the victim's information to the attacker's website.

Recommendations For Web-School ERP version 5.0, consider disabling the Add Events feature or restricting access to it until a fix is available. As a temporary workaround, restrict the ability to inject JavaScript code into the event name and description fields to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-30113

Affected Products

Web-School Erp

PT-2021-18607 · Unknown · Web-School Erp

CVE-2021-30113

Weakness Enumeration

Related Identifiers

Affected Products

References · 5