CVE-2024-4822

Name of the Vulnerable Software and Affected Versions School ERP Pro+Responsive version 1.0

Description The issue allows an attacker to partially take control of the victim's browser session through a cross-site scripting (XSS) attack. This is achieved by exploiting the username and password parameters in the "/index.php" API endpoint. The attacker can gain unauthorized access and potentially steal data.

Recommendations For School ERP Pro+Responsive version 1.0, patch the software immediately and validate user input to prevent exploitation. As a temporary workaround, consider restricting access to the "/index.php" endpoint until a patch is applied. Avoid using the username and password parameters in the affected API endpoint until the issue is resolved.