CVE-2024-50840 identifies a stored Cross-Site Scripting (XSS) vulnerability in the KASHIPARA E-learning Management System Project 1.0, specifically within the /admin/class.php file. The vulnerability arises from improper sanitization of the class_name parameter, which allows authenticated users with limited privileges to inject malicious JavaScript code that is stored persistently on the server. When other users or administrators access the affected page, the malicious script executes in their browsers, potentially leading to session hijacking, unauthorized actions, or disruption of service. The vulnerability is classified under CWE-120, indicating a buffer-related issue, which may suggest underlying memory handling problems contributing to the XSS. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L) indicates that the attack can be performed remotely over the network with low attack complexity, requires privileges and user interaction, and affects system integrity and availability with a scope change. No patches or known exploits are currently available, highlighting the need for proactive mitigation. This vulnerability is particularly concerning in educational environments where multiple users access administrative interfaces, increasing the risk of widespread impact.

The primary impact of CVE-2024-50840 is on the integrity and availability of the KASHIPARA E-learning Management System. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users, potentially leading to unauthorized actions such as privilege escalation, manipulation of course data, or disruption of service. Although confidentiality is not directly compromised, the injected scripts could be leveraged to steal session tokens or perform social engineering attacks. The requirement for authentication and user interaction limits the attack surface but does not eliminate risk, especially in environments with many users or shared credentials. Educational institutions relying on this platform could face operational disruptions, reputational damage, and compliance issues if exploited. The lack of patches and known exploits suggests a window of exposure that must be addressed promptly to prevent future attacks.

To mitigate CVE-2024-50840, organizations should implement strict input validation and output encoding on the class_name parameter to prevent malicious script injection. Employing a whitelist approach for allowed characters and length restrictions can reduce injection vectors. Administrators should review and sanitize existing stored data to remove any malicious payloads. Enforcing the principle of least privilege for user roles can limit the ability of attackers to exploit this vulnerability. Additionally, implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Regular security audits and code reviews focusing on input handling in administrative modules are recommended. Until an official patch is released, consider isolating or restricting access to the vulnerable admin interface and educating users about phishing and social engineering risks related to XSS. Monitoring logs for unusual activity related to class_name inputs can provide early detection of exploitation attempts.