漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
N/A
Vulnerability Description
iNiLabs School Express (SMS Express) 6.2 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the content-management features available to authenticated admin users. The vulnerability resides in POSTed editor parameters submitted to the /posts/edit/{id} endpoint (and similarly in Notice and Pages editors). Due to insufficient input sanitization and output encoding, attackers can inject HTML/JS payloads. The payload is saved and later rendered unsanitized, resulting in JavaScript execution in other users' browsers when they access the affected content. This issue allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application does not enforce a restrictive Content Security Policy (CSP) or adequate filtering to prevent such attacks.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Inilabs School Express 安全漏洞
Vulnerability Description
Inilabs School Express是孟加拉国Inilabs公司的一款学校管理软件。 Inilabs School Express 6.2版本存在安全漏洞,该漏洞源于内容管理功能中对POSTed editor参数清理和编码不足,可能导致存储型跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A