iNiLabs School Express Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in iNiLabs School Express (SMS Express) version 6.2. This vulnerability allows authenticated admin users to inject HTML and JavaScript payloads into the content management features. The injected payloads are saved and later executed in the browsers of other users, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The issue arises from inadequate input sanitization and output encoding, as well as the absence of a strict Content Security Policy (CSP) to mitigate such attacks.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the context of other users, including administrators. This could result in session hijacking, unauthorized access to administrative privileges, and potential data breaches involving sensitive student information.

Reproduction

To reproduce this vulnerability, log in as an authenticated admin user and navigate to the content management section. Access the editor for posts, notices, or pages. Inject a JavaScript payload, such as one using the 'details' tag to bypass basic filtering, into the editor. Once the content is saved and viewed by other users, the injected script will execute in their browsers, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to the latest version of iNiLabs School Express once a patch is available. In the meantime, monitor for suspicious HTML or JavaScript payloads in the database and restrict the use of input fields that allow for the injection of such content.