RSS   Vulnerabilities for 'Enterprise resource planning'   RSS

2021-04-08
 
CVE-2021-30114

CWE-352
 

 
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. The application fails to validate the CSRF token for a POST request using admin privilege.

 
 
CVE-2021-30113

CWE-79
 

 
A blind XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in event name and description fields. An attacker can inject a JavaScript code that will be stored in the page. If any visitor sees the event, then the payload will be executed and sends the victim's information to the attacker website.

 
 
CVE-2021-30112

CWE-352
 

 
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to validate the CSRF token for a POST request using Guardian privilege.

 
 
CVE-2021-30111

CWE-79
 

 
A stored XSS vulnerability exists in Web-School ERP V 5.0 via (Add Events) in the event name and description fields. An attack can inject a JavaScript code that will be stored in the page. If any visitor sees the events, then the payload will be executed.

 


Copyright 2021, cxsecurity.com

 

Back to Top