Description
Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the showSupportExpiredMessage parameter of handleloginform.do.
Published: 2026-05-28
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in Follet School Solutions Destiny that allows a remote attacker to inject arbitrary JavaScript into the browser of any user who visits a crafted URL. The vulnerability is triggered through the showSupportExpiredMessage parameter of handleloginform.do and can be used to steal credentials, deface the interface, or install malware on the client machine. The weakness is an input validation flaw (CWE‑79).

Affected Systems

Follet School Solutions Destiny versions earlier than 22.0.1 AU1 are affected. The flaw resides in the Destiny application’s login handling component, and any environment running a pre‑22.0.1 AU1 release is vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it may not be widely exploited yet. The attack vector is remote; an attacker can simply craft a URL containing the vulnerable parameter and entice a user to visit it. No authentication is required to trigger the flaw, so anyone with access to the application can potentially exploit it. Given these conditions, the risk is moderate but non‑negligible for environments where the application is exposed to public or semi‑public users.

Generated by OpenCVE AI on May 28, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Follet School Solutions Destiny 22.0.1 AU1 or later, where the XSS issue has been patched.
  • If an upgrade is not immediately feasible, implement a web application firewall rule that strips the showSupportExpiredMessage parameter or blocks any script content returned in the response for that endpoint.
  • Ensure server‑side input validation is applied to the showSupportExpiredMessage parameter, removing or encoding any script tags before rendering the page.

Generated by OpenCVE AI on May 28, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Follet School Solutions
Follet School Solutions destiny
Vendors & Products Follet School Solutions
Follet School Solutions destiny

Thu, 28 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the showSupportExpiredMessage parameter of handleloginform.do.
Title Reflected Cross-Site Scripting in Follet School Solutions Destiny
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Follet School Solutions Destiny
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-28T12:10:08.787Z

Reserved: 2024-09-18T15:52:22.556Z

Link: CVE-2024-47096

cve-icon Vulnrichment

Updated: 2026-05-28T12:10:03.518Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T09:16:28.957

Modified: 2026-05-28T18:56:36.823

Link: CVE-2024-47096

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T09:30:06Z

Weaknesses