Search criteria
18 vulnerabilities found for schoolbox by schoolbox
FKIE_CVE-2024-28097
Vulnerability from fkie_nvd - Published: 2024-03-07 04:15 - Updated: 2025-02-05 17:23
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Calendar functionality in Schoolbox application
before version 23.1.3 is vulnerable to stored cross-site scripting
allowing authenticated attacker to perform security actions in the
context of the affected users.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schoolbox:schoolbox:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74EE0444-60C1-4AB1-9D79-4681443BFA26",
"versionEndExcluding": "23.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Calendar functionality in Schoolbox application \nbefore version 23.1.3 is vulnerable to stored cross-site scripting \nallowing authenticated attacker to perform security actions in the \ncontext of the affected users."
},
{
"lang": "es",
"value": "La funcionalidad de calendario en la aplicaci\u00f3n Schoolbox anterior a la versi\u00f3n 23.1.3 es vulnerable a Cross-Site Scripting almacenados, lo que permite a un atacante autenticado realizar acciones de seguridad en el contexto de los usuarios afectados."
}
],
"id": "CVE-2024-28097",
"lastModified": "2025-02-05T17:23:01.313",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-07T04:15:07.897",
"references": [
{
"source": "vdp@themissinglink.com.au",
"tags": [
"Product"
],
"url": "https://schoolbox.education/"
},
{
"source": "vdp@themissinglink.com.au",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28097"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://schoolbox.education/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28097"
}
],
"sourceIdentifier": "vdp@themissinglink.com.au",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-28096
Vulnerability from fkie_nvd - Published: 2024-03-07 04:15 - Updated: 2025-02-05 17:22
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Class functionality in Schoolbox application
before version 23.1.3 is vulnerable to stored cross-site scripting
allowing authenticated attacker to perform security actions in the
context of the affected users.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schoolbox:schoolbox:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74EE0444-60C1-4AB1-9D79-4681443BFA26",
"versionEndExcluding": "23.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Class functionality in Schoolbox application \nbefore version 23.1.3 is vulnerable to stored cross-site scripting \nallowing authenticated attacker to perform security actions in the \ncontext of the affected users."
},
{
"lang": "es",
"value": "La funcionalidad de clase en la aplicaci\u00f3n Schoolbox anterior a la versi\u00f3n 23.1.3 es vulnerable a Cross-Site Scripting almacenados, lo que permite a un atacante autenticado realizar acciones de seguridad en el contexto de los usuarios afectados."
}
],
"id": "CVE-2024-28096",
"lastModified": "2025-02-05T17:22:49.233",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-07T04:15:07.703",
"references": [
{
"source": "vdp@themissinglink.com.au",
"tags": [
"Product"
],
"url": "https://schoolbox.education/"
},
{
"source": "vdp@themissinglink.com.au",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28096"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://schoolbox.education/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28096"
}
],
"sourceIdentifier": "vdp@themissinglink.com.au",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-28094
Vulnerability from fkie_nvd - Published: 2024-03-07 04:15 - Updated: 2025-02-05 17:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Chat functionality in Schoolbox application before
version 23.1.3 is vulnerable to blind SQL Injection enabling the
authenticated attackers to read, modify, and delete database records.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schoolbox:schoolbox:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74EE0444-60C1-4AB1-9D79-4681443BFA26",
"versionEndExcluding": "23.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records."
},
{
"lang": "es",
"value": "La funcionalidad de chat en la aplicaci\u00f3n Schoolbox anterior a la versi\u00f3n 23.1.3 es vulnerable a la inyecci\u00f3n SQL ciega, lo que permite a los atacantes autenticados leer, modificar y eliminar registros de la base de datos."
}
],
"id": "CVE-2024-28094",
"lastModified": "2025-02-05T17:15:25.047",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-07T04:15:07.333",
"references": [
{
"source": "vdp@themissinglink.com.au",
"tags": [
"Product"
],
"url": "https://schoolbox.education/"
},
{
"source": "vdp@themissinglink.com.au",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://schoolbox.education/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094"
}
],
"sourceIdentifier": "vdp@themissinglink.com.au",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-28095
Vulnerability from fkie_nvd - Published: 2024-03-07 04:15 - Updated: 2025-02-05 17:22
Severity ?
7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
News functionality in Schoolbox application before
version 23.1.3 is vulnerable to stored cross-site scripting allowing
authenticated attacker to perform security actions in the context of the
affected users.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schoolbox:schoolbox:*:*:*:*:*:*:*:*",
"matchCriteriaId": "74EE0444-60C1-4AB1-9D79-4681443BFA26",
"versionEndExcluding": "23.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "News functionality in Schoolbox application before\n version 23.1.3 is vulnerable to stored cross-site scripting allowing \nauthenticated attacker to perform security actions in the context of the\n affected users."
},
{
"lang": "es",
"value": "La funcionalidad de noticias en la aplicaci\u00f3n Schoolbox anterior a la versi\u00f3n 23.1.3 es vulnerable a Cross-Site Scripting almacenados, lo que permite a un atacante autenticado realizar acciones de seguridad en el contexto de los usuarios afectados."
}
],
"id": "CVE-2024-28095",
"lastModified": "2025-02-05T17:22:23.773",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.2,
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-03-07T04:15:07.527",
"references": [
{
"source": "vdp@themissinglink.com.au",
"tags": [
"Product"
],
"url": "https://schoolbox.education/"
},
{
"source": "vdp@themissinglink.com.au",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28095"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://schoolbox.education/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28095"
}
],
"sourceIdentifier": "vdp@themissinglink.com.au",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-39020
Vulnerability from fkie_nvd - Published: 2022-10-31 21:15 - Updated: 2024-11-21 07:17
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Multiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schoolbox:schoolbox:21.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D46F4619-A324-4FF3-996A-FCE9070CFFDF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nMultiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.\n\n"
},
{
"lang": "es",
"value": "Se encontraron varias instancias de Cross Site-Scripting XSS (stored y reflejadas) en la aplicaci\u00f3n. Por ejemplo, se descubri\u00f3 que funciones como el env\u00edo de evaluaciones de los estudiantes, la carga de archivos, las noticias, el portafolio electr\u00f3nico y la creaci\u00f3n de eventos de calendario eran vulnerables a Cross-Site Scripting.\n"
}
],
"id": "CVE-2022-39020",
"lastModified": "2024-11-21T07:17:23.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-31T21:15:12.250",
"references": [
{
"source": "vdp@themissinglink.com.au",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-39020"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-39020"
}
],
"sourceIdentifier": "vdp@themissinglink.com.au",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-3059
Vulnerability from fkie_nvd - Published: 2022-10-31 21:15 - Updated: 2024-11-21 07:18
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.
References
| URL | Tags | ||
|---|---|---|---|
| vdp@themissinglink.com.au | https://www.themissinglink.com.au/security-advisories/cve-2022-3059 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.themissinglink.com.au/security-advisories/cve-2022-3059 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:schoolbox:schoolbox:21.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D46F4619-A324-4FF3-996A-FCE9070CFFDF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nThe application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.\n\n"
},
{
"lang": "es",
"value": "La aplicaci\u00f3n era vulnerable a m\u00faltiples instancias de inyecci\u00f3n SQL (autenticadas y no autenticadas) a trav\u00e9s de un par\u00e1metro vulnerable. Debido al soporte de consultas apiladas, se pudieron manipular e inyectar comandos SQL complejos en el par\u00e1metro vulnerable y, utilizando una inyecci\u00f3n SQL inferencial basada en suspensi\u00f3n, fue posible extraer datos de la base de datos."
}
],
"id": "CVE-2022-3059",
"lastModified": "2024-11-21T07:18:44.267",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-31T21:15:12.330",
"references": [
{
"source": "vdp@themissinglink.com.au",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-3059"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-3059"
}
],
"sourceIdentifier": "vdp@themissinglink.com.au",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "vdp@themissinglink.com.au",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-28097 (GCVE-0-2024-28097)
Vulnerability from cvelistv5 – Published: 2024-03-07 03:21 – Updated: 2024-08-26 15:58
VLAI?
Title
Stored Cross-site Scripting in Calendar functionality in Schoolbox
Summary
Calendar functionality in Schoolbox application
before version 23.1.3 is vulnerable to stored cross-site scripting
allowing authenticated attacker to perform security actions in the
context of the affected users.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
0 , < 23.1.3
(Minor)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.725Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28097"
},
{
"tags": [
"x_transferred"
],
"url": "https://schoolbox.education/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:schoolbox:schoolbox:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "schoolbox",
"vendor": "schoolbox",
"versions": [
{
"lessThan": "23.1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T20:22:53.776003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T15:58:14.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"lessThan": "23.1.3",
"status": "affected",
"version": "0",
"versionType": "Minor"
}
]
}
],
"datePublic": "2024-03-06T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Calendar functionality in Schoolbox application \nbefore version 23.1.3 is vulnerable to stored cross-site scripting \nallowing authenticated attacker to perform security actions in the \ncontext of the affected users."
}
],
"value": "Calendar functionality in Schoolbox application \nbefore version 23.1.3 is vulnerable to stored cross-site scripting \nallowing authenticated attacker to perform security actions in the \ncontext of the affected users."
}
],
"impacts": [
{
"capecId": "CAPEC-104",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-104 Cross Zone Scripting"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-07T03:22:15.658Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28097"
},
{
"url": "https://schoolbox.education/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting in Calendar functionality in Schoolbox",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2024-28097",
"datePublished": "2024-03-07T03:21:21.016Z",
"dateReserved": "2024-03-04T04:27:20.021Z",
"dateUpdated": "2024-08-26T15:58:14.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28096 (GCVE-0-2024-28096)
Vulnerability from cvelistv5 – Published: 2024-03-07 03:18 – Updated: 2024-08-02 00:48
VLAI?
Title
Stored Cross-site Scripting in Class functionality in Schoolbox
Summary
Class functionality in Schoolbox application
before version 23.1.3 is vulnerable to stored cross-site scripting
allowing authenticated attacker to perform security actions in the
context of the affected users.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
0 , < 23.1.3
(Minor)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T15:54:12.519753Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:45.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28096"
},
{
"tags": [
"x_transferred"
],
"url": "https://schoolbox.education/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"lessThan": "23.1.3",
"status": "affected",
"version": "0",
"versionType": "Minor"
}
]
}
],
"datePublic": "2024-03-06T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Class functionality in Schoolbox application \nbefore version 23.1.3 is vulnerable to stored cross-site scripting \nallowing authenticated attacker to perform security actions in the \ncontext of the affected users."
}
],
"value": "Class functionality in Schoolbox application \nbefore version 23.1.3 is vulnerable to stored cross-site scripting \nallowing authenticated attacker to perform security actions in the \ncontext of the affected users."
}
],
"impacts": [
{
"capecId": "CAPEC-104",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-104 Cross Zone Scripting"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-07T03:21:56.549Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28096"
},
{
"url": "https://schoolbox.education/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting in Class functionality in Schoolbox",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2024-28096",
"datePublished": "2024-03-07T03:18:33.101Z",
"dateReserved": "2024-03-04T04:27:20.021Z",
"dateUpdated": "2024-08-02T00:48:48.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28095 (GCVE-0-2024-28095)
Vulnerability from cvelistv5 – Published: 2024-03-07 03:17 – Updated: 2024-08-02 00:48
VLAI?
Title
Stored Cross-site Scripting in News functionality in Schoolbox
Summary
News functionality in Schoolbox application before
version 23.1.3 is vulnerable to stored cross-site scripting allowing
authenticated attacker to perform security actions in the context of the
affected users.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
0 , < 23.1.3
(Minor)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-14T19:43:03.725741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:21.542Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28095"
},
{
"tags": [
"x_transferred"
],
"url": "https://schoolbox.education/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"lessThan": "23.1.3",
"status": "affected",
"version": "0",
"versionType": "Minor"
}
]
}
],
"datePublic": "2024-03-06T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "News functionality in Schoolbox application before\n version 23.1.3 is vulnerable to stored cross-site scripting allowing \nauthenticated attacker to perform security actions in the context of the\n affected users."
}
],
"value": "News functionality in Schoolbox application before\n version 23.1.3 is vulnerable to stored cross-site scripting allowing \nauthenticated attacker to perform security actions in the context of the\n affected users."
}
],
"impacts": [
{
"capecId": "CAPEC-104",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-104 Cross Zone Scripting"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-07T03:17:02.562Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28095"
},
{
"url": "https://schoolbox.education/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-site Scripting in News functionality in Schoolbox",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2024-28095",
"datePublished": "2024-03-07T03:17:02.562Z",
"dateReserved": "2024-03-04T04:27:20.021Z",
"dateUpdated": "2024-08-02T00:48:48.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28094 (GCVE-0-2024-28094)
Vulnerability from cvelistv5 – Published: 2024-03-07 03:14 – Updated: 2024-08-02 00:48
VLAI?
Title
Blind SQL Injection in Chat functionality in Schoolbox
Summary
Chat functionality in Schoolbox application before
version 23.1.3 is vulnerable to blind SQL Injection enabling the
authenticated attackers to read, modify, and delete database records.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
0 , < 23.1.3
(Minor)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T18:31:38.565724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:28.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094"
},
{
"tags": [
"x_transferred"
],
"url": "https://schoolbox.education/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"lessThan": "23.1.3",
"status": "affected",
"version": "0",
"versionType": "Minor"
}
]
}
],
"datePublic": "2024-03-06T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records."
}
],
"value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records."
}
],
"impacts": [
{
"capecId": "CAPEC-7",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-7 Blind SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-07T03:14:25.843Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094"
},
{
"url": "https://schoolbox.education/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Blind SQL Injection in Chat functionality in Schoolbox",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2024-28094",
"datePublished": "2024-03-07T03:14:25.843Z",
"dateReserved": "2024-03-04T04:27:20.021Z",
"dateUpdated": "2024-08-02T00:48:48.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3059 (GCVE-0-2022-3059)
Vulnerability from cvelistv5 – Published: 2022-10-31 20:06 – Updated: 2025-05-05 18:54
VLAI?
Title
SQL injection in Schoolbox version 21.0.2, by Schoolbox Pty Ltd
Summary
The application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.
Severity ?
8.6 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
21.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://www.themissinglink.com.au/security-advisories/cve-2022-3059",
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-3059"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T18:53:59.167199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T18:54:14.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
}
],
"datePublic": "2022-10-28T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eThe application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.\u003c/span\u003e\n\n"
}
],
"value": "\nThe application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T08:12:53.975Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"name": "https://www.themissinglink.com.au/security-advisories/cve-2022-3059",
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-3059"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL injection in Schoolbox version 21.0.2, by Schoolbox Pty Ltd",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2022-3059",
"datePublished": "2022-10-31T20:06:55.882Z",
"dateReserved": "2022-08-30T00:00:00.000Z",
"dateUpdated": "2025-05-05T18:54:14.037Z",
"serial": 1,
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39020 (GCVE-0-2022-39020)
Vulnerability from cvelistv5 – Published: 2022-10-31 20:06 – Updated: 2025-05-06 19:21
VLAI?
Title
Cross-site scripting in Schoolbox version 21.0.2, by Schoolbox Pty Ltd
Summary
Multiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.
Severity ?
7.6 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
21.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T11:10:32.473Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://www.themissinglink.com.au/security-advisories/cve-2022-39020",
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-39020"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T19:20:46.315613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T19:21:01.913Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
}
],
"datePublic": "2022-10-28T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eMultiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.\u003c/span\u003e\n\n"
}
],
"value": "\nMultiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T08:23:05.720Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"name": "https://www.themissinglink.com.au/security-advisories/cve-2022-39020",
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-39020"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-site scripting in Schoolbox version 21.0.2, by Schoolbox Pty Ltd",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2022-39020",
"datePublished": "2022-10-31T20:06:12.157Z",
"dateReserved": "2022-08-30T00:00:00.000Z",
"dateUpdated": "2025-05-06T19:21:01.913Z",
"serial": 1,
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28097 (GCVE-0-2024-28097)
Vulnerability from nvd – Published: 2024-03-07 03:21 – Updated: 2024-08-26 15:58
VLAI?
Title
Stored Cross-site Scripting in Calendar functionality in Schoolbox
Summary
Calendar functionality in Schoolbox application
before version 23.1.3 is vulnerable to stored cross-site scripting
allowing authenticated attacker to perform security actions in the
context of the affected users.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
0 , < 23.1.3
(Minor)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.725Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28097"
},
{
"tags": [
"x_transferred"
],
"url": "https://schoolbox.education/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:schoolbox:schoolbox:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "schoolbox",
"vendor": "schoolbox",
"versions": [
{
"lessThan": "23.1.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T20:22:53.776003Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T15:58:14.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"lessThan": "23.1.3",
"status": "affected",
"version": "0",
"versionType": "Minor"
}
]
}
],
"datePublic": "2024-03-06T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Calendar functionality in Schoolbox application \nbefore version 23.1.3 is vulnerable to stored cross-site scripting \nallowing authenticated attacker to perform security actions in the \ncontext of the affected users."
}
],
"value": "Calendar functionality in Schoolbox application \nbefore version 23.1.3 is vulnerable to stored cross-site scripting \nallowing authenticated attacker to perform security actions in the \ncontext of the affected users."
}
],
"impacts": [
{
"capecId": "CAPEC-104",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-104 Cross Zone Scripting"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-07T03:22:15.658Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28097"
},
{
"url": "https://schoolbox.education/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting in Calendar functionality in Schoolbox",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2024-28097",
"datePublished": "2024-03-07T03:21:21.016Z",
"dateReserved": "2024-03-04T04:27:20.021Z",
"dateUpdated": "2024-08-26T15:58:14.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28096 (GCVE-0-2024-28096)
Vulnerability from nvd – Published: 2024-03-07 03:18 – Updated: 2024-08-02 00:48
VLAI?
Title
Stored Cross-site Scripting in Class functionality in Schoolbox
Summary
Class functionality in Schoolbox application
before version 23.1.3 is vulnerable to stored cross-site scripting
allowing authenticated attacker to perform security actions in the
context of the affected users.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
0 , < 23.1.3
(Minor)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T15:54:12.519753Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:45.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28096"
},
{
"tags": [
"x_transferred"
],
"url": "https://schoolbox.education/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"lessThan": "23.1.3",
"status": "affected",
"version": "0",
"versionType": "Minor"
}
]
}
],
"datePublic": "2024-03-06T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Class functionality in Schoolbox application \nbefore version 23.1.3 is vulnerable to stored cross-site scripting \nallowing authenticated attacker to perform security actions in the \ncontext of the affected users."
}
],
"value": "Class functionality in Schoolbox application \nbefore version 23.1.3 is vulnerable to stored cross-site scripting \nallowing authenticated attacker to perform security actions in the \ncontext of the affected users."
}
],
"impacts": [
{
"capecId": "CAPEC-104",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-104 Cross Zone Scripting"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-07T03:21:56.549Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28096"
},
{
"url": "https://schoolbox.education/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-site Scripting in Class functionality in Schoolbox",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2024-28096",
"datePublished": "2024-03-07T03:18:33.101Z",
"dateReserved": "2024-03-04T04:27:20.021Z",
"dateUpdated": "2024-08-02T00:48:48.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28095 (GCVE-0-2024-28095)
Vulnerability from nvd – Published: 2024-03-07 03:17 – Updated: 2024-08-02 00:48
VLAI?
Title
Stored Cross-site Scripting in News functionality in Schoolbox
Summary
News functionality in Schoolbox application before
version 23.1.3 is vulnerable to stored cross-site scripting allowing
authenticated attacker to perform security actions in the context of the
affected users.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
0 , < 23.1.3
(Minor)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-14T19:43:03.725741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:21.542Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.247Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28095"
},
{
"tags": [
"x_transferred"
],
"url": "https://schoolbox.education/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"lessThan": "23.1.3",
"status": "affected",
"version": "0",
"versionType": "Minor"
}
]
}
],
"datePublic": "2024-03-06T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "News functionality in Schoolbox application before\n version 23.1.3 is vulnerable to stored cross-site scripting allowing \nauthenticated attacker to perform security actions in the context of the\n affected users."
}
],
"value": "News functionality in Schoolbox application before\n version 23.1.3 is vulnerable to stored cross-site scripting allowing \nauthenticated attacker to perform security actions in the context of the\n affected users."
}
],
"impacts": [
{
"capecId": "CAPEC-104",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-104 Cross Zone Scripting"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-07T03:17:02.562Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28095"
},
{
"url": "https://schoolbox.education/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored Cross-site Scripting in News functionality in Schoolbox",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2024-28095",
"datePublished": "2024-03-07T03:17:02.562Z",
"dateReserved": "2024-03-04T04:27:20.021Z",
"dateUpdated": "2024-08-02T00:48:48.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28094 (GCVE-0-2024-28094)
Vulnerability from nvd – Published: 2024-03-07 03:14 – Updated: 2024-08-02 00:48
VLAI?
Title
Blind SQL Injection in Chat functionality in Schoolbox
Summary
Chat functionality in Schoolbox application before
version 23.1.3 is vulnerable to blind SQL Injection enabling the
authenticated attackers to read, modify, and delete database records.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
0 , < 23.1.3
(Minor)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-07T18:31:38.565724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:28.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:48.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094"
},
{
"tags": [
"x_transferred"
],
"url": "https://schoolbox.education/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"lessThan": "23.1.3",
"status": "affected",
"version": "0",
"versionType": "Minor"
}
]
}
],
"datePublic": "2024-03-06T08:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records."
}
],
"value": "Chat functionality in Schoolbox application before\n version 23.1.3 is vulnerable to blind SQL Injection enabling the \nauthenticated attackers to read, modify, and delete database records."
}
],
"impacts": [
{
"capecId": "CAPEC-7",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-7 Blind SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-07T03:14:25.843Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"url": "https://www.themissinglink.com.au/security-advisories/cve-2024-28094"
},
{
"url": "https://schoolbox.education/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Blind SQL Injection in Chat functionality in Schoolbox",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2024-28094",
"datePublished": "2024-03-07T03:14:25.843Z",
"dateReserved": "2024-03-04T04:27:20.021Z",
"dateUpdated": "2024-08-02T00:48:48.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3059 (GCVE-0-2022-3059)
Vulnerability from nvd – Published: 2022-10-31 20:06 – Updated: 2025-05-05 18:54
VLAI?
Title
SQL injection in Schoolbox version 21.0.2, by Schoolbox Pty Ltd
Summary
The application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.
Severity ?
8.6 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
21.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.315Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://www.themissinglink.com.au/security-advisories/cve-2022-3059",
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-3059"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T18:53:59.167199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T18:54:14.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
}
],
"datePublic": "2022-10-28T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eThe application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.\u003c/span\u003e\n\n"
}
],
"value": "\nThe application was vulnerable to multiple instances of SQL injection (authenticated and unauthenticated) through a vulnerable parameter. Due to the stacked query support, complex SQL commands could be crafted and injected into the vulnerable parameter and using a sleep based inferential SQL injection it was possible to extract data from the database.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T08:12:53.975Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"name": "https://www.themissinglink.com.au/security-advisories/cve-2022-3059",
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-3059"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL injection in Schoolbox version 21.0.2, by Schoolbox Pty Ltd",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2022-3059",
"datePublished": "2022-10-31T20:06:55.882Z",
"dateReserved": "2022-08-30T00:00:00.000Z",
"dateUpdated": "2025-05-05T18:54:14.037Z",
"serial": 1,
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39020 (GCVE-0-2022-39020)
Vulnerability from nvd – Published: 2022-10-31 20:06 – Updated: 2025-05-06 19:21
VLAI?
Title
Cross-site scripting in Schoolbox version 21.0.2, by Schoolbox Pty Ltd
Summary
Multiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.
Severity ?
7.6 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schoolbox Pty Ltd | Schoolbox |
Affected:
21.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T11:10:32.473Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://www.themissinglink.com.au/security-advisories/cve-2022-39020",
"tags": [
"x_transferred"
],
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-39020"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T19:20:46.315613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T19:21:01.913Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Schoolbox",
"vendor": "Schoolbox Pty Ltd",
"versions": [
{
"status": "affected",
"version": "21.0.2"
}
]
}
],
"datePublic": "2022-10-28T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(254, 254, 254);\"\u003eMultiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.\u003c/span\u003e\n\n"
}
],
"value": "\nMultiple instances of XSS (stored and reflected) was found in the application. For example, features such as student assessment submission, file upload, news, ePortfolio and calendar event creation were found to be vulnerable to cross-site scripting.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T08:23:05.720Z",
"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"shortName": "TML"
},
"references": [
{
"name": "https://www.themissinglink.com.au/security-advisories/cve-2022-39020",
"url": "https://www.themissinglink.com.au/security-advisories/cve-2022-39020"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cross-site scripting in Schoolbox version 21.0.2, by Schoolbox Pty Ltd",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
"assignerShortName": "TML",
"cveId": "CVE-2022-39020",
"datePublished": "2022-10-31T20:06:12.157Z",
"dateReserved": "2022-08-30T00:00:00.000Z",
"dateUpdated": "2025-05-06T19:21:01.913Z",
"serial": 1,
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}