CVE-2024-27717

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in Eskooly Free Online School Management Software version 3.0 and earlier. The flaw resides in the Token Handling component, where the application fails to implement anti-CSRF tokens for state-changing requests. This allows an attacker to craft malicious requests that can be executed on behalf of an authenticated user without their consent. The affected versions include all releases up to and including v3.0 [1].

Exploitation

An attacker does not require any authentication or direct network access to the target application. The exploit involves crafting a malicious HTML payload that triggers a POST request to the endpoint handling account updates (e.g., changing email or password). The attacker then tricks an authenticated administrator into visiting the crafted page or clicking a malicious link. If the victim has an active session, the request is executed with their privileges, leading to unauthorized changes [1].

Impact

Successful exploitation allows the attacker to perform unauthorized actions on behalf of the victim, such as altering account credentials (email and password). This can result in privilege escalation if the victim is an administrator, potentially granting the attacker full control over the application. The confidentiality, integrity, and availability of user data and application functions are at high risk [1].

Mitigation

No official patch has been released by the vendor as of the publication date. The recommended mitigation is to implement anti-CSRF tokens — unique, unpredictable values — in all forms and state-changing requests. Additionally, enforcing SameSite cookie attributes and validating origin headers can help reduce risk until a permanent fix is available [1].