CVE-2024-4823

Name of the Vulnerable Software and Affected Versions School ERP Pro+Responsive version 1.0

Description The issue allows for cross-site scripting (XSS) attacks via the index '/schoolerp/office admin/' in the parameters es bankacc, es bank name, es bank pin, es checkno, es teller number, dc1, and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.

Recommendations For School ERP Pro+Responsive version 1.0, as a temporary workaround, consider restricting access to the vulnerable parameters es bankacc, es bank name, es bank pin, es checkno, es teller number, dc1, and dc2 in the '/schoolerp/office admin/' index until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.