Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-47324 and CVE-2026-47325) found in school-management-system software.
Analysis Summary
# Vulnerability: Critical Flaws in ProjectsAndPrograms school-management-system
## CVE Details
**Vulnerability 1**
- CVE ID: CVE-2026-47324
- CVSS Score: Not provided (High/Critical potential when chained)
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation / Stored XSS)
**Vulnerability 2**
- CVE ID: CVE-2026-47325
- CVSS Score: Not provided
- CWE: CWE-1391 (Use of Weak Credentials)
## Affected Systems
- **Products:** ProjectsAndPrograms school-management-system
- **Versions:** Commit `6b6fae5` (Confirmed); other versions are likely affected but remain untested.
- **Configurations:** Default installations using standard student/teacher object attributes.
## Vulnerability Description
**CVE-2026-47324 (Stored XSS):** The application fails to properly sanitize input in multiple attributes of student and teacher objects. This allows an authorized user (Teacher/Admin) to inject malicious JavaScript. Notably, if chained with CVE-2025-11661 (unauthorized backend access), an unauthenticated remote attacker can inject scripts that execute in the context of other users' sessions.
**CVE-2026-47325 (Weak Credentials):** The system generates default passwords for students and teachers based solely on their date of birth (format: `DDMMYYYY`). The application lacks a mandatory password change policy upon first login, making accounts highly susceptible to credential guessing if a user's birthday is known or discovered.
## Exploitation
- **Status:** PoC acknowledged; reported via CRT Polska CVD program.
- **Complexity:** Low (Predictable credentials) to Medium (XSS).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Unauthorized account access and session hijacking).
- **Integrity:** High (Ability to modify student/teacher records and inject malicious scripts).
- **Availability:** Medium (Potential for account lockout or data manipulation).
## Remediation
### Patches
- **No official patch currently available.** The maintainers were notified but have not provided updated versions or specific versioning details beyond the tested commit.
### Workarounds
- **Manual Password Updates:** Administrators should immediately require all users to change their default date-of-birth passwords to complex, unique strings.
- **Input Filtering:** Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads (e.g., `<script>`, `onerror`, `onload`) targeting the backend endpoints of the school management system.
- **Database Sanitization:** Manually audit student and teacher object attributes in the database for existing script tags.
## Detection
- **Indicators of Compromise:** Unusual administrative actions, unexpected JavaScript execution in the browser console while using the app, or unauthorized logins from unfamiliar IP addresses.
- **Detection Methods:**
- Audit user login logs for multiple successful logins using date-of-birth patterns.
- Scan the application database for HTML/Script tags in name, address, or bio fields.
## References
- CERT Polska Advisory: hxxps[:]//cert[.]pl/en/posts/2024/06/vulnerabilities-in-school-management-system/ (Note: Date in source suggests 2026 publication)
- CVE-2026-47324: hxxps[:]//www[.]cve[.]org/CVERecord?id=CVE-2026-47324
- CVE-2026-47325: hxxps[:]//www[.]cve[.]org/CVERecord?id=CVE-2026-47325