CVE-2024-50842 identifies a stored Cross-Site Scripting (XSS) vulnerability in the KASHIPARA E-learning Management System Project 1.0, located in the /admin/school_year.php file. This vulnerability arises from insufficient input validation and output encoding of the school_year parameter, allowing an authenticated attacker with limited privileges to inject malicious JavaScript code that is stored persistently on the server. When other users or administrators access the affected page, the injected script executes in their browsers within the context of the vulnerable application. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which is a common web application security flaw. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates that the attack is network-based, requires low attack complexity, needs privileges but only limited, requires user interaction, and affects confidentiality and integrity with a scope change, but does not affect availability. No patches or known exploits are currently available, but the vulnerability poses a risk of session hijacking, credential theft, or unauthorized actions via script execution in the victim's browser.

The primary impact of this vulnerability is the compromise of confidentiality and integrity within the KASHIPARA E-learning Management System. Attackers can leverage the stored XSS to steal session cookies, perform actions on behalf of legitimate users, or inject malicious content that misleads or harms users. This can lead to unauthorized access to sensitive educational data, manipulation of administrative functions, or broader compromise of user accounts. Since the vulnerability requires some level of authentication and user interaction, the risk is somewhat mitigated but still significant in environments where multiple users have access to the admin interface. Educational institutions and organizations relying on this platform could face data breaches, reputational damage, and potential regulatory consequences if exploited.

To mitigate CVE-2024-50842, organizations should implement strict input validation and output encoding for the school_year parameter and any other user-supplied data in the application. Employ context-aware escaping techniques to neutralize scripts before rendering them in the browser. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Limit administrative privileges to trusted personnel and enforce multi-factor authentication to reduce the risk of credential compromise. Regularly monitor logs for suspicious activities related to the vulnerable endpoint. Since no official patch is available, consider applying virtual patching via Web Application Firewalls (WAFs) that can detect and block malicious payloads targeting the school_year parameter. Finally, keep the system and dependencies updated and prepare to apply vendor patches once released.