CVE-2024-50837 is a Stored Cross-Site Scripting (XSS) vulnerability identified in the KASHIPARA E-learning Management System Project version 1.0. The vulnerability exists in the /admin/admin_user.php script, where the firstname and username parameters do not properly sanitize or encode user-supplied input before storing and rendering it in the administrative interface. This flaw allows an authenticated attacker with at least limited privileges (PR:L) to inject malicious JavaScript code that is persistently stored and executed in the context of other users who access the affected page. The attack requires user interaction (UI:R), such as an administrator viewing the compromised user data, and can lead to the compromise of confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions within the application. The vulnerability has a CVSS 3.1 base score of 5.4, indicating medium severity, with an attack vector of network (AV:N) and low attack complexity (AC:L). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The CWE classification is CWE-79, which corresponds to Cross-Site Scripting vulnerabilities.

The primary impact of CVE-2024-50837 is on the confidentiality and integrity of the affected e-learning system. Successful exploitation can allow attackers to execute arbitrary scripts in the context of administrative users, potentially leading to session hijacking, theft of sensitive information, or unauthorized administrative actions. This can compromise user data, including personal information and educational records, and may facilitate further attacks within the network. Although availability is not directly affected, the breach of trust and data integrity can disrupt normal operations and damage organizational reputation. Educational institutions and organizations relying on the KASHIPARA E-learning Management System are at risk of targeted attacks, especially if administrative users are tricked into interacting with maliciously crafted user profiles. The vulnerability's medium severity and requirement for some privileges reduce the likelihood of widespread exploitation but do not eliminate the risk, particularly in environments with weak access controls or insufficient monitoring.

To mitigate CVE-2024-50837, organizations should implement strict input validation and output encoding on all user-supplied data, especially the firstname and username parameters in the /admin/admin_user.php page. Employing context-aware encoding (e.g., HTML entity encoding) before rendering data in the browser is critical to prevent script execution. Additionally, applying the principle of least privilege to administrative accounts can limit the potential damage from exploitation. Monitoring and logging administrative actions and user input changes can help detect suspicious activities early. If possible, isolate the administrative interface from general user access and enforce multi-factor authentication to reduce the risk of compromised credentials. Organizations should also stay alert for official patches or updates from the KASHIPARA project and apply them promptly once available. In the interim, consider deploying Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the affected parameters.