CVE-2024-27711

Vulnerability

CVE-2024-27711 affects Eskooly Free Online School Management Software version 3.0 and earlier. The vulnerability resides in the sign-up process within the account settings. Due to improper handling of user input, the application returns distinct error messages when a username already exists, enabling an attacker to enumerate valid accounts. This flaw is present in all versions up to and including v3.0 [1].

Exploitation

An attacker with network access to the Eskooly application can exploit the sign-up form by submitting a series of username guesses. The application's response explicitly indicates whether a username is already taken (e.g., "the username is invalid" vs. a generic error). By observing these differences, the attacker can compile a list of valid usernames, including those of administrators. No authentication or special privileges are required to perform this enumeration [1].

Impact

While the enumeration itself does not directly grant access, it provides an attacker with a list of valid accounts. This information can be leveraged in conjunction with other vulnerabilities, such as CVE-2024-27710, to escalate privileges. For example, a student could enumerate a teacher or admin account and then use the privilege escalation flaw to gain higher-level access. The overall risk is medium, but the likelihood of exploitation is high due to the ease of enumeration and the availability of related attack vectors [1].

Mitigation

As of the publication date, no official patch or fixed version has been released by Eskooly. Users of version 3.0 or earlier are advised to monitor vendor channels for updates. In the absence of a patch, administrators should consider restricting access to the sign-up page or implementing rate limiting to slow down enumeration attempts. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].