CVE-2021-40492

Name of the Vulnerable Software and Affected Versions Gibbon version 22

Description A reflected XSS issue exists in multiple pages of the Gibbon application, allowing for arbitrary execution of JavaScript. This is achieved by manipulating parameters such as gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents in the index.php page.

Recommendations For version 22, consider disabling the execution of JavaScript in the affected pages as a temporary workaround until a patch is available. Restrict access to the index.php page to minimize the risk of exploitation. Avoid using the parameters gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents in the affected API endpoint until the issue is resolved.