Impact
Improper neutralization of user input in PowerSchool Employee Access Center allows a reflected or DOM-based cross‑site scripting vulnerability. By appending arbitrary JavaScript to the login URL, the application evaluates the injected code on the page, allowing execution in the context of the authenticated user. This type of flaw falls under CWE‑79 and can lead to session hijacking, defacement, or malicious actions performed as the legitimate user.
Affected Systems
The vulnerability affects PowerSchool Employee Access Center version 23.10. No other versions are listed as impacted.
Risk and Exploitability
The CVSS score of 5.7 indicates moderate risk, while the EPSS score of less than 1% suggests a very low likelihood of widespread exploitation. Since the flaw is not listed in the CISA KEV catalog, there are no known active exploits at the time of this analysis. Exploitation requires an attacker to craft a malicious URL that includes JavaScript code after the login page, which is then executed by the victim’s browser. The attack is constrained to users who can access the compromised login link, making the threat surface moderate but less likely to be leveraged broadly.
OpenCVE Enrichment