PatchSiren cyber security CVE debrief
CVE-2024-47097 Follet School Solutions CVE debrief
A reflected cross-site scripting (XSS) vulnerability exists in Follett School Solutions Destiny Library Manager versions prior to v22.0.1 AU1. The vulnerability resides in the `site` parameter of the `handleloginform.do` endpoint, allowing remote attackers to inject and execute arbitrary client-side code in a victim's browser context. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and user interaction required for exploitation. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The NVD entry currently shows a status of 'Deferred', indicating the record may be awaiting additional analysis or vendor coordination.
- Vendor
- Follet School Solutions
- Product
- Destiny
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-28
Who should care
Organizations operating Follett School Solutions Destiny Library Manager, particularly K-12 educational institutions and libraries using this integrated library system. Security teams responsible for educational technology infrastructure and application security practitioners managing legacy education software deployments.
Technical summary
Reflected cross-site scripting vulnerability in Follett School Solutions Destiny Library Manager versions before v22.0.1 AU1. The `site` parameter of `handleloginform.do` fails to properly sanitize user input, enabling injection of arbitrary JavaScript. Attack vector is network-based with low complexity, requiring user interaction but no authentication. CVSS 4.0 score: 5.1 (Medium).
Defensive priority
medium
Recommended defensive actions
- Upgrade Follett School Solutions Destiny Library Manager to version v22.0.1 AU1 or later to remediate the reflected XSS vulnerability
- Implement input validation and output encoding for the `site` parameter in `handleloginform.do`
- Deploy Content Security Policy (CSP) headers to mitigate impact of potential XSS exploitation
- Review web application firewall (WAF) rules to detect and block malicious payloads targeting the affected endpoint
- Conduct security assessment of authentication-related endpoints for additional injection vulnerabilities
Evidence notes
CVE published 2026-05-28 with NVD status 'Deferred'. Vendor attribution derived from reference domain analysis with low confidence; Follett School Solutions identified as affected vendor. Patch version v22.0.1 AU1 specified as remediation. CVSS 4.0 scoring applied.
Official resources
-
CVE-2024-47097 CVE record
CVE.org
-
CVE-2024-47097 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
33c584b5-0579-4c06-b2a0-8d8329fcab9c
public