Login Sign Up

CVE-2024-46334

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into the kashipara School Management System login page via formuser and formpassword parameters. When an administrator views compromised login logs or error pages, the scripts execute in their browser context. All users running version 1.0 of this PHP-based system are affected.

💻 Affected Systems

Products:
  • kashipara School Management System
Versions: 1.0
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default installation; requires PHP environment with web server access.

📦 What is this software?

School Management System by Kashipara

View all CVEs affecting School Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as administrators (add/delete users, modify grades), or redirect users to malicious sites.

🟠

Likely Case

Session hijacking leading to unauthorized administrative access and data manipulation within the school management system.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though some functionality disruption may occur.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires tricking administrators into viewing maliciously crafted login attempts or error pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement input validation and output encoding in /adminLogin.php for formuser and formpassword parameters.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Add server-side validation and HTML encoding for formuser and formpassword parameters

Edit /adminLogin.php to add htmlspecialchars() or similar encoding functions

Web Application Firewall (WAF)

all

Deploy WAF rules to block XSS payloads in login parameters

Add WAF rule: Detect and block scripts in formuser/formpassword parameters

🧯 If You Can't Patch

  • Restrict access to adminLogin.php to trusted IP addresses only
  • Implement Content Security Policy (CSP) headers to prevent script execution

🔍 How to Verify

Check if Vulnerable:

Test by submitting <script>alert('XSS')</script> in formuser or formpassword fields and check if script executes when viewing login logs/errors

Check Version:

Check source code or documentation for version 1.0 reference

Verify Fix Applied:

After implementing fixes, repeat XSS test to confirm scripts no longer execute

📡 Detection & Monitoring

Log Indicators:

  • Unusual script tags in login attempt logs
  • Multiple failed login attempts with encoded payloads

Network Indicators:

  • HTTP requests to adminLogin.php containing script tags or JavaScript in parameters

SIEM Query:

source="web_logs" AND uri="/adminLogin.php" AND (param="formuser" OR param="formpassword") AND (content="<script>" OR content="javascript:")

📊 Metadata

CVE ID: CVE-2024-46334
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.05% exploit probability (15.6th percentile)
Published: November 17, 2025
Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46334, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)