CVE-2024-2597

Name of the Vulnerable Software and Affected Versions AMSS++ version 4.31

Description The issue is related to insufficient encoding of user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability. This vulnerability can be exploited through the /amssplus/modules/book/main/bookdetail school person.php endpoint, specifically in the b id parameter. A remote attacker could send a specially crafted URL to an authenticated user, potentially allowing them to steal the user's session cookie credentials.

Recommendations For AMSS++ version 4.31, consider disabling access to the /amssplus/modules/book/main/bookdetail school person.php endpoint until a patch is available. Additionally, restrict the use of the b id parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.