CVE-2024-50839 identifies a stored Cross-Site Scripting (XSS) vulnerability in the KASHIPARA E-learning Management System Project 1.0, located in the /admin/add_subject.php endpoint. This vulnerability arises from improper sanitization of user-supplied input in the subject_code and title parameters, which are stored and later rendered in the administrative interface without adequate output encoding. An attacker with authenticated access and the ability to interact with the system can inject arbitrary JavaScript code that executes in the context of an administrator's browser session. This can lead to theft of session cookies, unauthorized actions performed with admin privileges, or redirection to malicious sites. The vulnerability is classified under CWE-120, indicating a buffer-related issue, but the primary impact is XSS. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects that the attack is network-based, requires low attack complexity, privileges, and user interaction, and affects confidentiality and integrity with a scope change. No patches or known exploits have been reported as of the publication date (November 14, 2024).

The primary impact of this vulnerability is on the confidentiality and integrity of the affected system. Successful exploitation can allow attackers to execute arbitrary scripts in the administrator's browser, potentially leading to session hijacking, unauthorized administrative actions, and data manipulation. This can compromise sensitive educational data, user credentials, and system configurations. Although availability is not directly affected, the breach of administrative control can lead to broader system compromise or data loss. Organizations relying on this e-learning platform may face reputational damage, regulatory penalties, and operational disruptions if exploited. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with weak credential management or insider threats.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the subject_code and title parameters to prevent injection of malicious scripts. Employing a Content Security Policy (CSP) can reduce the impact of any injected scripts. Regularly update and patch the KASHIPARA E-learning Management System as vendors release fixes. Restrict administrative access using multi-factor authentication and monitor for unusual administrative activities. Conduct security awareness training for administrators to recognize phishing or social engineering attempts that could facilitate exploitation. Additionally, perform regular security assessments and code reviews focusing on input handling in web applications. If possible, isolate the administrative interface from general user access to reduce exposure.