Serosoft Solutions Academia SIS EagleR Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Serosoft Solutions Academia Student Information System (SIS) EagleR version 1.0.118. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the User ID parameter at the endpoint /rest/staffResource/update. The issue arises from improper sanitization and validation of input parameters, enabling malicious users to inject JavaScript code that is stored in the system and executed when the affected profile is viewed by an administrator or other users.

Impact

Exploitation of this vulnerability allows for the injection of malicious JavaScript into user profile fields, such as 'User ID,' 'First Name,' or 'Print Name.' The injected script is stored in the application and executed when the profile is viewed. This vulnerability is compounded by a broken access control issue, allowing normal users to inject scripts into any profile, including those of administrators. The consequences of this XSS vulnerability are severe, as it could lead to theft of session tokens or authentication credentials, website defacement, redirection of users to malicious websites, or injection of keyloggers to capture sensitive information.

Reproduction

To reproduce this vulnerability, log in as a student or administrator user and navigate to the 'Edit User' profile page. Inject malicious JavaScript into the 'User ID,' 'First Name,' or 'Print Name' fields. Once the profile is saved, the injected script will execute when the profile is viewed by an administrator or other users.