CVE-2024-4823

MEDIUM

6.5

Descripcion

Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.

Detalles CVE

Puntuacion CVSS v3.16.5

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioREQUIRED

Publicado5/14/2024

Ultima modificacion10/23/2025

Fuentenvd

Avistamientos honeypot0

Productos afectados

arox:school_erp_pro\+responsive

Debilidades (CWE)

CWE-79

Referencias

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-school-erp-proresponsive-arox-solution(cve-coordination@incibe.es)

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-school-erp-proresponsive-arox-solution(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.