This vulnerability (CWE-79) in Follet School Solutions Destiny involves improper neutralization of input during web page generation, specifically in the 'site' parameter of the handleloginform.do endpoint. An attacker can inject malicious scripts that execute in the context of the victim's browser, potentially leading to unauthorized actions or data exposure. The CVSS 4.0 base score is 5.1, indicating a medium severity with network attack vector, low complexity, no privileges required, and requiring user interaction.

Successful exploitation allows remote attackers to run arbitrary client-side code in the context of the vulnerable web application. This can lead to session hijacking, defacement, or other client-side attacks depending on the victim's interaction with the malicious payload. There is no indication of privilege escalation or direct server compromise from the provided data.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is documented, users should monitor Follet School Solutions advisories for updates. Until a patch is available, cautious handling of the affected parameter and limiting exposure may reduce risk.