Aggregates CVE and security vulnerability intelligence across all web-school-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk cross-site scripting and vendor risk csrf; exposure may include vendor impact session compromise in vendor surface software deployment contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2021-30114 | Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. The application fails to validate the CSRF token for a POST request using admin privilege. | [email protected] | 6.5 | 0.14% | 2021-04-08 | 2024-11-21 |
| CVE-2021-30113 | A blind XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in event name and description fields. An attacker can inject a JavaScript code that will be stored in the page. If any visitor sees the event, then the payload will be executed and sends the victim's information to the attacker website. | [email protected] | 6.1 | 0.25% | 2021-04-08 | 2024-11-21 |
| CVE-2021-30112 | Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to validate the CSRF token for a POST request using Guardian privilege. | [email protected] | 6.5 | 0.14% | 2021-04-08 | 2024-11-21 |
| CVE-2021-30111 | A stored XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in the event name and description fields. An attack can inject a JavaScript code that will be stored in the page. If any visitor sees the events, then the payload will be executed. | [email protected] | 5.4 | 0.24% | 2021-04-08 | 2024-11-21 |