CVE-2024-50838 is a stored Cross-Site Scripting (XSS) vulnerability identified in the KASHIPARA E-learning Management System Project 1.0, specifically in the /admin/department.php endpoint. The vulnerability arises from insufficient sanitization of user-supplied input in the 'd' and 'pi' parameters, which are likely used to manage department-related data within the administrative interface. Because the malicious script is stored persistently on the server, it can be executed whenever an administrator or authorized user accesses the affected page, leading to the execution of arbitrary JavaScript code in the context of the victim's browser. This can result in session hijacking, unauthorized actions, or data theft. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), and user interaction (clicking or viewing the page) is necessary. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The vulnerability impacts confidentiality and integrity but does not affect availability. No patches or known exploits are currently reported, but the presence of CWE-120 (Buffer Copy without Checking Size of Input) suggests potential underlying memory handling issues that could be related or misclassified. Overall, this vulnerability poses a moderate risk to organizations using this e-learning system, especially those with multiple administrators or users with elevated privileges.

The primary impact of CVE-2024-50838 is on the confidentiality and integrity of administrative user sessions and data within the KASHIPARA E-learning Management System. Successful exploitation allows attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, theft of sensitive information such as credentials or personal data, and unauthorized modification of system settings or content. While availability is not directly affected, the compromise of administrative accounts can lead to broader system misuse or data corruption. Organizations relying on this platform for educational management may face reputational damage, data breaches, and compliance violations if the vulnerability is exploited. The requirement for low privileges and user interaction lowers the barrier for exploitation within trusted user groups, increasing risk in environments with multiple administrators or instructors. The lack of known public exploits currently limits immediate widespread impact, but the vulnerability remains a significant concern until patched.

1. Implement strict input validation and sanitization on the 'd' and 'pi' parameters to ensure that no executable scripts can be injected or stored. Use a whitelist approach for allowed characters and data formats. 2. Apply proper output encoding (e.g., HTML entity encoding) when rendering user-supplied data in the admin interface to prevent script execution. 3. Restrict access to the /admin/department.php page to only trusted and necessary administrative users, minimizing the number of accounts that can trigger the vulnerability. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. 5. Monitor logs for unusual activity or repeated attempts to inject scripts via the vulnerable parameters. 6. If possible, isolate the administrative interface from the public network or require VPN access to reduce exposure. 7. Stay alert for official patches or updates from the KASHIPARA project and apply them promptly once available. 8. Educate administrators about the risks of clicking on suspicious links or content within the admin panel to reduce the risk of user interaction exploitation.