CVE-2021-3262 Information

Description

TripSpark VEO Transportation-2.2.x-XP_BB-20201123-184084 NovusEDU-2.2.x-XP_BB-20201123-184084 allows unsafe data inputs in POST body parameters from end users without sanitizing using server-side logic. It was possible to inject custom SQL commands into the \Student Busing Information\ search queries.

Reference

https://susos.co/blog/f/cve-disclosureuncovered-sql-injection-in-tripspark-veo-transport http://tripspark.com http://veo.com