CVE-2021-3262

Name of the Vulnerable Software and Affected Versions TripSpark VEO Transportation versions 2.2.x NovusEDU versions 2.2.x

Description The issue allows unsafe data inputs in POST body parameters from end users without sanitizing using server-side logic. It was possible to inject custom SQL commands into the "Student Busing Information" search queries.

Recommendations For TripSpark VEO Transportation version 2.2.x, consider disabling the feature that allows user input in the "Student Busing Information" search queries until a patch is available. For NovusEDU version 2.2.x, restrict access to the "Student Busing Information" search queries to minimize the risk of exploitation. As a temporary workaround, avoid using the vulnerable POST body parameters in the affected search queries until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.