CVE-2024-5367 in College Management System
Summary
by MITRE • 05/26/2024
A vulnerability was found in Kashipara College Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file each_extracurricula_activities.php. The manipulation of the argument id leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266279.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/28/2026
The Kashipara College Management System version 1.0 contains a critical cross site scripting vulnerability that poses significant security risks to organizations relying on this platform for educational administration. This vulnerability exists within the file each_extracurricula_activities.php and represents a fundamental flaw in input validation and output encoding mechanisms. The specific weakness lies in how the system processes the id parameter, which allows malicious actors to inject arbitrary script code that executes in the context of other users' browsers. This type of vulnerability falls under CWE-79 - Improper Neutralization of Input During Web Page Generation, which is a core component of the OWASP Top Ten web application security risks.
The technical implementation of this vulnerability demonstrates poor security practices in parameter handling and data sanitization. When an attacker crafts a malicious request containing specially formatted id values, the system fails to properly escape or validate these inputs before incorporating them into dynamic web pages. This creates an environment where JavaScript code can be injected and executed without proper authorization, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users. The remote exploitation capability means that attackers do not require physical access to the system or local network privileges to compromise the platform.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable sophisticated attack vectors through the ATT&CK framework's T1566 - Phishing and T1071.3 - Application Layer Protocol: Web Protocols categories. An attacker could craft malicious links that, when clicked by authorized users, would execute scripts to steal session cookies or redirect users to fraudulent websites. The disclosure of this exploit through public channels significantly increases the risk surface, as security researchers and malicious actors can now leverage this known weakness without requiring additional reconnaissance. This vulnerability directly impacts the integrity and confidentiality of educational data managed by the system.
Organizations utilizing this software should implement immediate mitigations including input validation for all parameters, proper output encoding of dynamic content, and deployment of web application firewalls to detect and block suspicious script injection attempts. The recommended remediation strategy involves sanitizing all user inputs through established libraries that properly escape special characters and implementing Content Security Policy headers to prevent unauthorized script execution. Additionally, regular security updates and patches should be applied immediately upon availability from the vendor, as this vulnerability represents a critical risk to the overall security posture of educational institutions relying on web-based management systems.