CVE-2024-50836 is a stored Cross-Site Scripting (XSS) vulnerability identified in the KASHIPARA E-learning Management System Project 1.0, located in the /admin/teachers.php endpoint. The vulnerability arises from insufficient sanitization of user-supplied input in the firstname and lastname parameters, allowing an authenticated attacker to inject malicious JavaScript code that is stored on the server and later executed in the browsers of users who access the affected page. This persistent XSS flaw can lead to unauthorized actions performed in the context of the victim's session, including theft of session cookies, defacement, or redirection to malicious sites. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates that the attack is network exploitable with low attack complexity, requires low privileges (authenticated user), and user interaction to trigger the payload. The scope is changed, meaning the vulnerability affects resources beyond the vulnerable component. Confidentiality and integrity impacts are low but notable, while availability is unaffected. No patches or known exploits are currently available, but the vulnerability is publicly disclosed as of November 14, 2024. The CWE-79 classification confirms this as a classic XSS issue. Given the administrative context, exploitation could facilitate lateral movement or privilege escalation within the e-learning platform.

The primary impact of CVE-2024-50836 is on the confidentiality and integrity of user data within the KASHIPARA E-learning Management System. Attackers exploiting this vulnerability can execute arbitrary scripts in the context of authenticated users, potentially stealing session tokens, manipulating user data, or performing unauthorized actions on behalf of victims. This can lead to account compromise, unauthorized access to sensitive educational records, or disruption of administrative functions. Although availability is not directly impacted, the trustworthiness of the platform is undermined, which can affect user confidence and compliance with data protection regulations. Organizations relying on this system, especially educational institutions, may face reputational damage and legal consequences if exploited. The requirement for authenticated access and user interaction limits the attack surface but does not eliminate risk, particularly in environments with many users and varying privilege levels.

To mitigate CVE-2024-50836, organizations should implement strict input validation and output encoding on all user-supplied data, particularly the firstname and lastname parameters in the /admin/teachers.php page. Employing a robust Content Security Policy (CSP) can help reduce the impact of injected scripts. Restricting administrative access to trusted users and enforcing strong authentication mechanisms will limit attacker capabilities. Regularly auditing and sanitizing stored data can prevent persistence of malicious payloads. Since no official patch is currently available, consider applying virtual patching via Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting these parameters. Educate users about the risks of clicking suspicious links or executing unexpected scripts. Monitor logs for unusual activity indicative of exploitation attempts. Finally, maintain an incident response plan tailored to web application attacks to quickly address any compromise.