CVE-2023-38827: n/a in n/a
Cross Site Scripting vulnerability in Follet School Solutions Destiny v.20_0_1_AU4 and later allows a remote attacker to run arbitrary code via presentonesearchresultsform.do.
AI Analysis
Technical Summary
CVE-2023-38827 is a Cross-Site Scripting (XSS) vulnerability identified in Follett School Solutions Destiny, specifically from version 20_0_1_AU4 and later. The vulnerability exists in the web application endpoint presentonesearchresultsform.do. An attacker can exploit this flaw by injecting malicious scripts into the vulnerable parameter(s) processed by this endpoint. When a victim user accesses the affected page, the injected script executes in their browser context, potentially allowing the attacker to perform actions such as session hijacking, credential theft, or unauthorized actions on behalf of the user. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. The CVSS v3.1 base score is 6.1 (medium severity), with the vector indicating that the attack can be performed remotely over the network (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component, and the impact is limited to low confidentiality and integrity impacts, with no availability impact. No known exploits are reported in the wild yet, and no official patches or vendor advisories are currently linked. Given the nature of the product — Follett Destiny is a widely used library and educational resource management system in schools — the vulnerability could be leveraged to target educational institutions, potentially compromising student or staff data or disrupting educational workflows.
Potential Impact
For European organizations, particularly educational institutions such as schools, universities, and libraries using Follett Destiny, this vulnerability poses a risk of unauthorized script execution within user browsers. This can lead to theft of session cookies, user impersonation, and unauthorized access to sensitive educational records or personal information of students and staff. The impact on confidentiality and integrity is moderate, as attackers could manipulate displayed data or steal information but not directly disrupt system availability. Given the reliance on Follett Destiny for managing educational resources, exploitation could undermine trust in digital learning environments and lead to regulatory compliance issues under GDPR if personal data is compromised. The requirement for user interaction means phishing or social engineering might be needed to trigger the exploit, but the lack of required privileges lowers the barrier for attackers. The vulnerability could also be used as a foothold for further attacks within the network if combined with other vulnerabilities or misconfigurations.
Mitigation Recommendations
Organizations should implement the following specific mitigations: 1) Immediately review and sanitize all user inputs and outputs related to the presentonesearchresultsform.do endpoint to ensure proper encoding and neutralization of potentially malicious scripts. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the application. 3) Educate users, especially staff and students, about the risks of clicking on untrusted links or interacting with suspicious content to reduce the chance of successful social engineering. 4) Monitor web application logs for unusual or suspicious requests targeting the vulnerable endpoint to detect potential exploitation attempts. 5) Coordinate with Follett School Solutions for official patches or updates and apply them promptly once available. 6) If possible, implement web application firewalls (WAF) with rules tailored to detect and block XSS attack patterns targeting this endpoint. 7) Conduct regular security assessments and penetration tests focusing on web application input validation and output encoding to proactively identify similar vulnerabilities.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Italy, Spain, Belgium
CVE-2023-38827: n/a in n/a
Description
Cross Site Scripting vulnerability in Follet School Solutions Destiny v.20_0_1_AU4 and later allows a remote attacker to run arbitrary code via presentonesearchresultsform.do.
AI-Powered Analysis
Technical Analysis
CVE-2023-38827 is a Cross-Site Scripting (XSS) vulnerability identified in Follett School Solutions Destiny, specifically from version 20_0_1_AU4 and later. The vulnerability exists in the web application endpoint presentonesearchresultsform.do. An attacker can exploit this flaw by injecting malicious scripts into the vulnerable parameter(s) processed by this endpoint. When a victim user accesses the affected page, the injected script executes in their browser context, potentially allowing the attacker to perform actions such as session hijacking, credential theft, or unauthorized actions on behalf of the user. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS. The CVSS v3.1 base score is 6.1 (medium severity), with the vector indicating that the attack can be performed remotely over the network (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component, and the impact is limited to low confidentiality and integrity impacts, with no availability impact. No known exploits are reported in the wild yet, and no official patches or vendor advisories are currently linked. Given the nature of the product — Follett Destiny is a widely used library and educational resource management system in schools — the vulnerability could be leveraged to target educational institutions, potentially compromising student or staff data or disrupting educational workflows.
Potential Impact
For European organizations, particularly educational institutions such as schools, universities, and libraries using Follett Destiny, this vulnerability poses a risk of unauthorized script execution within user browsers. This can lead to theft of session cookies, user impersonation, and unauthorized access to sensitive educational records or personal information of students and staff. The impact on confidentiality and integrity is moderate, as attackers could manipulate displayed data or steal information but not directly disrupt system availability. Given the reliance on Follett Destiny for managing educational resources, exploitation could undermine trust in digital learning environments and lead to regulatory compliance issues under GDPR if personal data is compromised. The requirement for user interaction means phishing or social engineering might be needed to trigger the exploit, but the lack of required privileges lowers the barrier for attackers. The vulnerability could also be used as a foothold for further attacks within the network if combined with other vulnerabilities or misconfigurations.
Mitigation Recommendations
Organizations should implement the following specific mitigations: 1) Immediately review and sanitize all user inputs and outputs related to the presentonesearchresultsform.do endpoint to ensure proper encoding and neutralization of potentially malicious scripts. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the application. 3) Educate users, especially staff and students, about the risks of clicking on untrusted links or interacting with suspicious content to reduce the chance of successful social engineering. 4) Monitor web application logs for unusual or suspicious requests targeting the vulnerable endpoint to detect potential exploitation attempts. 5) Coordinate with Follett School Solutions for official patches or updates and apply them promptly once available. 6) If possible, implement web application firewalls (WAF) with rules tailored to detect and block XSS attack patterns targeting this endpoint. 7) Conduct regular security assessments and penetration tests focusing on web application input validation and output encoding to proactively identify similar vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2023-07-25T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683f0a31182aa0cae27f6e96
Added to database: 6/3/2025, 2:44:01 PM
Last enriched: 7/4/2025, 2:13:44 PM
Last updated: 8/10/2025, 5:07:22 PM
Views: 12
Related Threats
CVE-2025-8947: SQL Injection in projectworlds Visitor Management System
MediumCVE-2025-8046: CWE-79 Cross-Site Scripting (XSS) in Injection Guard
MediumCVE-2025-7808: CWE-79 Cross-Site Scripting (XSS) in WP Shopify
HighCVE-2025-6790: CWE-352 Cross-Site Request Forgery (CSRF) in Quiz and Survey Master (QSM)
HighCVE-2025-3414: CWE-79 Cross-Site Scripting (XSS) in Structured Content (JSON-LD) #wpsc
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.