CVE-2024-4823 - Vulnerability Details - OpenCVE

Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00366.

Key SSVC decision points have not yet been added.

Vendors	Products
Arox	School Erp Pro\+responsive

Configuration 1 [-]

cpe:2.3:a:arox:school_erp_pro\+responsive:1.0:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-44414	Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.

Fixes

Solution

There is no reported solution at this time.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-school-erp-proresponsive-arox-solution

History

Thu, 23 Oct 2025 12:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Arox Arox school Erp Pro\+responsive
CPEs		cpe:2.3:a:arox:school_erp_pro\+responsive:1.0:::::::*
Vendors & Products		Arox Arox school Erp Pro\+responsive

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-05-13T11:27:26.304Z

Updated: 2024-08-01T20:55:10.025Z

Reserved: 2024-05-13T07:19:20.469Z

Link: CVE-2024-4823

Vulnrichment

Updated: 2024-08-01T20:55:10.025Z

NVD

Status : Analyzed

Published: 2024-05-14T15:45:14.797

Modified: 2025-10-23T12:27:00.927

Link: CVE-2024-4823

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-4823", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-05-13T07:19:20.469Z", "datePublished": "2024-05-13T11:27:26.304Z", "dateUpdated": "2024-08-01T20:55:10.025Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "School ERP Pro+Responsive", "vendor": "AROX SOLUTION", "versions": [{"status": "affected", "version": "1.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rafael Pedrero"}], "datePublic": "2024-05-13T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session."}], "value": "Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-05-13T11:27:26.304Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-school-erp-proresponsive-arox-solution"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There is no reported solution at this time."}], "value": "There is no reported solution at this time."}], "source": {"discovery": "EXTERNAL"}, "title": "Cross-site Scripting in School ERP Pro+Responsive by AROX SOLUTION", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4823", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-13T19:27:17.941162Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:arox:school_erp_pro:1.0:*:*:*:*:*:*:*"], "vendor": "arox", "product": "school_erp_pro", "versions": [{"status": "affected", "version": "1.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:53:57.934Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:55:10.025Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-school-erp-proresponsive-arox-solution", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-school-erp-proresponsive-arox-solution", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:55:10.025Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4823", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-13T19:27:17.941162Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:arox:school_erp_pro:1.0:*:*:*:*:*:*:*"], "vendor": "arox", "product": "school_erp_pro", "versions": [{"status": "affected", "version": "1.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-13T19:25:29.152Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Cross-site Scripting in School ERP Pro+Responsive by AROX SOLUTION", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Rafael Pedrero"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AROX SOLUTION", "product": "School ERP Pro+Responsive", "versions": [{"status": "affected", "version": "1.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "There is no reported solution at this time.", "supportingMedia": [{"type": "text/html", "value": "There is no reported solution at this time.", "base64": false}]}], "datePublic": "2024-05-13T10:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-school-erp-proresponsive-arox-solution"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-05-13T11:27:26.304Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4823", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:55:10.025Z", "dateReserved": "2024-05-13T07:19:20.469Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-05-13T11:27:26.304Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arox:school_erp_pro\\+responsive:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "519D0E14-E540-405A-A136-3B63206888B4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in School ERP Pro+Responsive 1.0 that allows XSS via the index '/schoolerp/office_admin/' in the parameters es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 and dc2. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session."}, {"lang": "es", "value": "Vulnerabilidad en School ERP Pro+Responsive 1.0 que permite XSS mediante el \u00edndice '/schoolerp/office_admin/' en los par\u00e1metros es_bankacc, es_bank_name, es_bank_pin, es_checkno, es_teller_number, dc1 y dc2. Un atacante podr\u00eda enviar un payload de JavaScript especialmente manipulado a un usuario autenticado y secuestrar parcialmente su sesi\u00f3n de navegador."}], "id": "CVE-2024-4823", "lastModified": "2025-10-23T12:27:00.927", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-14T15:45:14.797", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-school-erp-proresponsive-arox-solution"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-school-erp-proresponsive-arox-solution"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}