This vulnerability in PowerSchool Employee Access Center 23.10 involves improper neutralization of input during web page generation, classified as CWE-79. Specifically, it allows an attacker to append JavaScript code after the login URL, which is eval()'d and executed within the user's browser context. This can lead to cross-site scripting attacks, potentially impacting user session integrity and confidentiality. The CVSS 4.0 base score is 5.7, indicating a medium severity level. No official patch or remediation guidance is currently provided by the vendor, and no known exploits are reported in the wild.

Successful exploitation could allow an attacker to execute arbitrary JavaScript in the context of the affected user's browser session. This may lead to theft of session tokens, user impersonation, or other actions performed with the user's privileges within the application. However, exploitation requires user interaction (UI:P) and the impact on confidentiality, integrity, and availability is rated as low to high depending on context per the CVSS vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users and administrators should exercise caution with URLs received from untrusted sources and avoid clicking suspicious links. No vendor-provided temporary or official fixes are currently documented.