CVE-2021-44197 UBIT Information Technologies CVE debrief

Who should care

Organizations operating UBIT Student Information Management System, particularly educational institutions using this platform for student data management. Security teams responsible for web application security and compliance with data protection regulations.

Technical summary

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). The affected product is UBIT Student Information Management System with versions prior to 20211126 being vulnerable. The attack vector is network-based with low complexity, requiring no privileges but user interaction. Successful exploitation allows script injection with scope change impact, affecting confidentiality and integrity at low severity with no availability impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade UBIT Student Information Management System to version 20211126 or later
• Implement Content Security Policy (CSP) headers to mitigate XSS impact
• Apply context-aware output encoding for all user-supplied content
• Review and strengthen input validation on all web form fields
• Monitor for suspicious script injection attempts in application logs

Evidence notes

Vulnerability affects Student Information Management System versions before 20211126 per NVD CPE criteria. USOM advisory TR-23-0131 provides third-party confirmation. CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N indicates network-based attack with low complexity, no privileges required, user interaction needed, scope change, and low impact to confidentiality and integrity.

Official resources