OnboardLite contains a stored cross‑site scripting flaw that is triggered when an administrator migrates a student’s Discord account in the dashboard. The attacker can inject malicious JavaScript that is stored and later executed with the full privileges of the administrator, enabling account hijacking, credential theft, or arbitrary code execution within the application context. The weakness stems from a lack of input validation (CWE‑79), improper handling of user‑supplied data (CWE‑20), and potential data type mismatch (CWE‑116).

All releases of HackUCF OnboardLite prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f are affected. The vulnerability was fixed in that commit, which should be applied to replace any earlier version of the software.

The CVSS score of 7.3 indicates high severity, but the EPSS score less than 1% and absence from the CISA KEV catalog suggest a low likelihood of widespread exploitation at present. The likely attack vector is via the web interface that allows administrators to migrate Discord accounts; an attacker must be able to supply or modify the migration field with a malicious payload, which persists and executes when the administrator reloads the dashboard. An attacker would need any level of access that permits the execution of the migration action, such as user accounts with compromised credentials or access to an unprotected administrator account.