CVE-2024-50983 is a stored Cross Site Scripting (XSS) vulnerability affecting FlightPath version 7.5. The flaw exists because the application fails to properly sanitize or encode user input in the Last Name field within the Create/Edit Faculty/Staff User and Create/Edit Student User interfaces. An attacker with authenticated administrative privileges can inject malicious JavaScript payloads into this field. When another user views the affected user record, the injected script executes in their browser context, potentially allowing session hijacking, privilege escalation, or unauthorized actions within the application. The vulnerability requires the attacker to have administrative rights, which limits the attack surface but increases the risk if such credentials are compromised. The CVSS v3.1 score is 6.1, reflecting network attack vector, low attack complexity, privileges required, user interaction needed, and impacts on confidentiality and integrity but not availability. No patches or known exploits have been reported yet, but the vulnerability is publicly disclosed as of November 15, 2024. The underlying weakness corresponds to CWE-79, a common XSS category.

This vulnerability can lead to unauthorized script execution in the browsers of users who view the maliciously crafted user profiles, potentially resulting in session hijacking, theft of sensitive information, or unauthorized actions performed with the victim’s privileges. Since exploitation requires administrative credentials, the impact is somewhat contained but significant in environments where multiple administrators or privileged users exist. Confidentiality and integrity of user data and sessions are at risk, which could lead to broader compromise of the FlightPath system or connected resources. The lack of availability impact reduces the risk of denial-of-service conditions. Organizations using FlightPath 7.5 in educational or institutional environments could face reputational damage, data breaches, or compliance violations if this vulnerability is exploited.

Organizations should immediately review and restrict administrative access to trusted personnel only, enforcing strong authentication and monitoring for suspicious activity. Input validation and output encoding should be implemented or enhanced in the Last Name field and other user input areas to prevent script injection. FlightPath vendors or administrators should prioritize releasing and applying patches that sanitize user inputs properly. In the interim, administrators can mitigate risk by limiting the number of users with administrative privileges and educating users to avoid interacting with suspicious user profiles. Web application firewalls (WAFs) can be configured to detect and block common XSS payloads targeting this vector. Regular security audits and penetration testing focused on user input handling are recommended to identify similar vulnerabilities.