PatchSiren cyber security CVE debrief

CVE-2021-44196 UBIT Information Technologies CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in UBIT Information Technologies Student Information Management System versions prior to 20211126. The flaw stems from improper neutralization of script-related HTML tags in web page content, allowing attackers to inject malicious scripts that execute in victims' browsers. With a CVSS 3.1 score of 6.1 (Medium), this vulnerability requires network access and user interaction but can compromise session credentials or perform unauthorized actions on behalf of authenticated users. The Turkish National Cyber Security Incident Response Team (USOM) published vendor advisory TR-23-0131 addressing this issue. Organizations should upgrade to version 20211126 or later and implement Content Security Policy headers and input validation as defense-in-depth measures.

Vendor: UBIT Information Technologies
Product: Student Information Management System
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-03-07
Original CVE updated: 2026-05-18
Advisory published: 2023-03-07
Advisory updated: 2026-05-18

Who should care

Educational institutions deploying UBIT Student Information Management System; security teams managing academic ERP platforms; compliance officers responsible for student data protection under regulations such as FERPA or GDPR; web application security engineers maintaining legacy education software.

Technical summary

The vulnerability exists in the Student Information Management System's handling of user-supplied content. Insufficient sanitization allows injection of script-bearing HTML tags that persist in stored data and execute when rendered in browsers. The CVSS attack vector indicates network accessibility, low attack complexity, no privileges required, but user interaction needed. Scope change (S:C) indicates impact beyond the vulnerable component. Confidentiality and Integrity impacts are rated Low with no Availability impact.

Defensive priority

medium

Recommended defensive actions

Upgrade UBIT Student Information Management System to version 20211126 or later to remediate the stored XSS vulnerability
Implement Content Security Policy (CSP) headers to mitigate impact of any residual XSS vectors
Apply context-aware output encoding for all user-supplied data rendered in HTML contexts
Review and strengthen input validation on all endpoints accepting user-generated content
Monitor for anomalous script execution patterns in web application logs

Evidence notes

CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags) identified. Affected CPE: cpe:2.3:a:ubit:student_information_management_system:*:*:*:*:*:*:*:* with versionEndExcluding 20211126.

Official resources

CVE-2021-44196 CVE record
CVE.org
CVE-2021-44196 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Vendor Advisory

CVE-2021-44196 was published in the NVD on 2023-03-07, with the most recent modification on 2026-05-18. The vulnerability affects UBIT Student Information Management System builds before 20211126. USOM advisory TR-23-0131 provides vendor-co