CVE-2024-50841
📋 TL;DR
A stored cross-site scripting vulnerability in KASHIPARA E-learning Management System Project allows attackers to inject malicious scripts into calendar event parameters. These scripts execute when administrators view the calendar page, potentially compromising admin sessions. This affects all installations of version 1.0.
💻 Affected Systems
- KASHIPARA E-learning Management System Project
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator account takeover leading to full system compromise, data theft, or deployment of additional malware.
Likely Case
Session hijacking of admin accounts, unauthorized access to sensitive student/teacher data, or defacement of the learning platform.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting individual admin sessions.
🎯 Exploit Status
Exploitation requires access to create/modify calendar events; public proof-of-concept demonstrates injection via date_start, date_end, and title parameters
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Implement input validation and output encoding as workaround.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation and sanitization for date_start, date_end, and title parameters in calendar_of_events.php
Edit /admin/calendar_of_events.php to add: htmlspecialchars($input, ENT_QUOTES, 'UTF-8') for all user inputs
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
Add to .htaccess or server config: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Restart web server
🧯 If You Can't Patch
- Restrict admin access to trusted IP addresses only
- Implement web application firewall rules to block XSS payloads in calendar parameters
🔍 How to Verify
Check if Vulnerable:
Test by creating a calendar event with payload: <script>alert('XSS')</script> in date_start, date_end, or title fields and check if script executes when viewing calendarCheck Version:
Check project documentation or source code for version informationVerify Fix Applied:
After implementing fixes, repeat the test payload; script should not execute and should appear as plain text📡 Detection & Monitoring
Log Indicators:
- Unusual length or special characters in calendar event parameters
- Multiple failed login attempts followed by calendar event creation
Network Indicators:
- HTTP POST requests to /admin/calendar_of_events.php with script tags in parameters
SIEM Query:
source="web_logs" AND (uri="/admin/calendar_of_events.php") AND (param="date_start" OR param="date_end" OR param="title") AND (content="<script>" OR content="javascript:")