CVE-2024-28095
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Schoolbox's news functionality allows authenticated attackers to inject malicious scripts that execute in other users' browsers. It affects all Schoolbox instances running versions before 23.1.3. The vulnerability enables attackers to perform actions on behalf of affected users, potentially compromising their accounts.
💻 Affected Systems
- Schoolbox Learning Management System
📦 What is this software?
Schoolbox by Schoolbox
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform account takeovers, escalate privileges, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers inject malicious scripts to steal user credentials or session tokens, leading to unauthorized access to sensitive student/teacher data.
If Mitigated
With proper input validation and output encoding, the risk is reduced to minimal, though authenticated users could still post malicious content visible to others.
🎯 Exploit Status
Requires authenticated access but exploitation is straightforward once authenticated. Stored XSS payloads persist in the news system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.1.3
Vendor Advisory: https://www.themissinglink.com.au/security-advisories/cve-2024-28095
Restart Required: Yes
Instructions:
1. Backup your Schoolbox instance. 2. Upgrade to Schoolbox version 23.1.3 or later. 3. Restart the application services. 4. Verify the fix by testing news functionality.
🔧 Temporary Workarounds
Disable News Module
allTemporarily disable the news functionality module to prevent exploitation
Content Security Policy
allImplement strict CSP headers to mitigate XSS impact
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in news posts
- Enable input validation and output encoding at the application layer for all user-generated content
🔍 How to Verify
Check if Vulnerable:
Check Schoolbox version in admin panel. If version is below 23.1.3, the system is vulnerable.Check Version:
Check Schoolbox admin dashboard or consult application configuration files for version informationVerify Fix Applied:
After patching, test news functionality by attempting to inject basic XSS payloads (like <script>alert('test')</script>) and verify they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags or JavaScript in news posts
- Multiple failed XSS attempts in input fields
- Unexpected content modifications in news module
Network Indicators:
- Suspicious POST requests to news endpoints containing script tags
- Unexpected outbound connections from user browsers after viewing news
SIEM Query:
source="schoolbox_logs" AND (message="*<script>*" OR message="*javascript:*") AND module="news"