CVE-2023-38826
Description
A Cross Site Scripting (XSS) vulnerability exists in Follet Learning Solutions Destiny through 20.0_1U. via the handlewpesearchform.do. searchString.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Follet Destiny up to 20.0_1U has a reflected XSS in the handlewpesearchform.do endpoint via the searchString parameter.
Vulnerability
A reflected Cross-Site Scripting (XSS) vulnerability exists in the handlewpesearchform.do endpoint of Follet Learning Solutions Destiny versions up to 20.0_1U. The searchString parameter is not properly sanitized, allowing an attacker to inject arbitrary HTML and JavaScript code into the page returned by the server. The vulnerable request is a GET to /cataloging/servlet/handlewpesearchform.do with the malicious payload in the searchString parameter [1].
Exploitation
An attacker must first ensure the victim's session has the proper school ID set in a cookie, which can be achieved through social engineering to have the victim click on the correct school beforehand [1]. The attacker then crafts a URL with the XSS payload encoded in the searchString parameter, such as searchString=twode%3c%2ftitle%3e%3cscript%3ealert("Reflected XSS :)")%3c%2fscript%3eaaaaa, and tricks the victim into visiting it. The injected script can execute arbitrary JavaScript; for example, a proof-of-concept payload fetches a remote login form and overlays it on the page to steal credentials [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session, leading to potential theft of sensitive data such as login credentials, session tokens, or school-related information. The attack is reflected (non-persistent) but can be chained with social engineering to achieve account takeover or data exfiltration within the affected Destiny environment [1].
Mitigation
As of the available references, no patch or workaround is disclosed for this vulnerability. The vendor, Follett Learning Solutions, has released versions beyond 20.0_1U, but it is unclear if those versions include a fix. Users should apply input validation and output encoding on the searchString parameter as a recommended defense until an official update is confirmed. The CVE is not listed on CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Follet Learning Solutions/Destinydescription
- Range: <=20.0_1U
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `searchString` parameter in `handlewpesearchform.do` is reflected in the response without proper sanitization or output encoding."
Attack vector
An attacker crafts a URL targeting `handlewpesearchform.do` with a malicious payload in the `searchString` parameter, such as `%3c%2ftitle%3e%3cscript%3ealert("Reflected XSS :)")%3c%2fscript%3e` [ref_id=1]. The victim must have a valid school ID cookie set for the application. The attacker can socially engineer the victim to click the crafted link, which executes the injected script in the victim's browser [ref_id=1]. The attacker can also host a remote JavaScript file that replicates the login form to steal credentials [ref_id=1].
Affected code
The vulnerability exists in the `handlewpesearchform.do` servlet within the Destiny application. The `searchString` parameter is reflected in the response without proper sanitization, allowing an attacker to inject arbitrary HTML and JavaScript [ref_id=1].
What the fix does
No patch is provided in the available references. The advisory does not specify a fix from Follet Learning Solutions. Remediation would require proper input validation and output encoding of the `searchString` parameter before reflecting it in the response, or implementing a Content Security Policy to mitigate script execution [ref_id=1].
Preconditions
- configThe victim must have a valid school ID cookie set for the target school that has search functions enabled.
- inputThe attacker must socially engineer the victim to click a crafted URL.
- configThe application must be version 20.0_1U or earlier.
Reproduction
1. Ensure the victim has the proper school ID cookie set for a school that contains search functions. 2. Craft a URL: `https://site.com/cataloging/servlet/handlewpesearchform.do?spotlightID=&themeID=&searchString=twode%3c%2ftitle%3e%3cscript%3ealert("Reflected XSS :)")%3c%2fscript%3eaaaaa&SearchWPE.x=0&SearchWPE.y=0` [ref_id=1]. 3. Socially engineer the victim to click the link. The injected script executes in the victim's browser [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.