Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
iNiLabs School Express (SMS Express) 6.2 is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the content-management features available to authenticated admin users. The vulnerability resides in POSTed editor parameters submitted to the /posts/edit/{id} endpoint (and similarly in Notice and Pages editors). Due to insufficient input sanitization and output encoding, attackers can inject HTML/JS payloads. The payload is saved and later rendered unsanitized, resulting in JavaScript execution in other users' browsers when they access the affected content. This issue allows an authenticated attacker to execute arbitrary JavaScript in the context of another user, potentially leading to session hijacking, privilege escalation, data exfiltration, or administrative account takeover. The application does not enforce a restrictive Content Security Policy (CSP) or adequate filtering to prevent such attacks.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Inilabs School Express 安全漏洞
Vulnerability Description
Inilabs School Express是孟加拉国Inilabs公司的一款学校管理软件。 Inilabs School Express 6.2版本存在安全漏洞,该漏洞源于内容管理功能中对POSTed editor参数清理和编码不足,可能导致存储型跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A