CVE-2024-28097 in Schoolboxinfo

Summary

by MITRE • 03/07/2024

Calendar functionality in Schoolbox application before version 23.1.3 is vulnerable to stored cross-site scripting allowing authenticated attacker to perform security actions in the context of the affected users.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/17/2025

The vulnerability identified as CVE-2024-28097 affects the calendar functionality within the Schoolbox application, representing a critical stored cross-site scripting flaw that enables authenticated attackers to execute malicious code in the context of legitimate users. This vulnerability specifically impacts versions prior to 23.1.3, indicating that the developers have acknowledged and addressed the issue in their subsequent releases. The flaw resides within the calendar component that processes user input, creating an environment where malicious scripts can be persistently stored and subsequently executed when other users interact with the calendar features. This type of vulnerability falls under the Common Weakness Enumeration category CWE-079, which specifically addresses cross-site scripting vulnerabilities where input is not properly sanitized or validated before being rendered back to users.

The operational impact of this vulnerability extends beyond simple data theft or defacement, as it allows attackers to perform security actions within the context of affected users. This means that an authenticated attacker who successfully exploits this vulnerability can potentially escalate their privileges, access sensitive educational data, manipulate calendar events, or even gain deeper access to the application's underlying systems. The stored nature of the XSS vulnerability means that the malicious payload is permanently saved within the application's database, making it particularly dangerous as it can affect multiple users over extended periods without requiring repeated exploitation attempts. This characteristic aligns with ATT&CK technique T1531 which focuses on establishing persistence through the use of malicious scripts in web applications.

The security implications are particularly severe in educational environments where Schoolbox applications are commonly deployed for managing student schedules, parent communications, and administrative functions. Attackers could potentially inject malicious scripts that redirect users to phishing sites, steal session cookies, or even execute commands that compromise the entire application environment. The authenticated nature of the attack means that the vulnerability requires users to be logged into the system, but once exploited, the attacker can leverage the victim's permissions and access levels to perform actions that would otherwise be restricted. Organizations using Schoolbox must consider the broader implications of this vulnerability on their data integrity and user privacy, as calendar functionality often contains sensitive information about student activities, parent communications, and institutional scheduling that could be exploited for various malicious purposes. The remediation approach should focus on implementing proper input validation, output encoding, and content security policies to prevent the storage and execution of malicious scripts within the calendar functionality.

Reservation

03/04/2024

Disclosure

03/07/2024

Moderation

accepted

CPE

ready

EPSS

0.00367

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!