CVE-2024-47096 Overview
CVE-2024-47096 is a reflected Cross-Site Scripting (XSS) vulnerability [CWE-79] in Follett School Solutions Destiny Library Manager before version v22.0.1 AU1. The flaw resides in the showSupportExpiredMessage parameter of the handleloginform.do endpoint. A remote attacker can craft a malicious URL that injects arbitrary client-side JavaScript into the response rendered by the application. Exploitation requires user interaction, typically through clicking a crafted link. Successful attacks can lead to session token theft, credential harvesting, or unauthorized actions performed in the victim's browser context. The vulnerability primarily affects K-12 schools and educational institutions that deploy Destiny Library Manager for catalog and resource management.
Critical Impact
Attackers can execute arbitrary JavaScript in authenticated user sessions, enabling credential theft and session hijacking against school library administrators and patrons.
Affected Products
- Follett School Solutions Destiny Library Manager versions prior to v22.0.1 AU1
- Deployments exposing the handleloginform.do login handler
- Web-accessible Destiny instances reachable by students, staff, or external users
Discovery Timeline
- 2026-05-28 - CVE-2024-47096 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2024-47096
Vulnerability Analysis
The vulnerability is a reflected XSS issue in the Destiny Library Manager login flow. The handleloginform.do endpoint accepts a showSupportExpiredMessage parameter and reflects its value back into the HTML response without proper output encoding or sanitization. An attacker who controls the parameter value can inject HTML and JavaScript that executes in the victim's browser when the page renders.
Reflected XSS in a login handler is especially impactful because the targeted page is reached by every user attempting to authenticate. Injected scripts can rewrite the login form to capture credentials, exfiltrate session cookies that are not protected by HttpOnly, or perform CSRF-style requests against the application using the victim's authenticated context.
Root Cause
The root cause is improper neutralization of user-supplied input during web page generation. The showSupportExpiredMessage parameter value is concatenated into the HTML output without context-aware encoding for the HTML body, attribute, or JavaScript contexts where it is placed. No input validation rejects script tokens, event handlers, or angle brackets.
Attack Vector
The attack vector is network-based and requires user interaction. The attacker delivers a crafted URL targeting the Destiny handleloginform.do endpoint with a malicious showSupportExpiredMessage payload. Delivery typically occurs through phishing emails, instant messages, or links embedded on third-party sites. When a victim with access to the Destiny instance clicks the link, the malicious script executes in their browser under the application's origin.
No authentication is required to construct the payload, and the injected code runs with the privileges of whichever user follows the link. See the Securin Zero-Day Analysis for additional technical detail.
Detection Methods for CVE-2024-47096
Indicators of Compromise
- HTTP requests to handleloginform.do containing script tags, javascript: URIs, or event handlers such as onerror= in the showSupportExpiredMessage parameter
- URL-encoded payloads in the showSupportExpiredMessage parameter containing sequences like %3Cscript%3E, %3Cimg, or %6Aavascript
- Referrer headers from unexpected external domains pointing users to the Destiny login page
Detection Strategies
- Inspect web server and reverse proxy logs for query strings on handleloginform.do that include HTML metacharacters or encoded script payloads
- Deploy WAF rules that flag XSS signatures targeting the showSupportExpiredMessage parameter
- Correlate browser console errors and Content Security Policy violation reports with access logs to identify reflected payloads
Monitoring Recommendations
- Alert on outbound traffic from end-user browsers to unknown domains immediately after visits to the Destiny login page
- Monitor for anomalous session activity, including unexpected administrative actions following a login event
- Track unique source IPs generating high volumes of requests to handleloginform.do with varying parameter content
How to Mitigate CVE-2024-47096
Immediate Actions Required
- Upgrade Destiny Library Manager to version v22.0.1 AU1 or later as supplied by Follett School Solutions
- Restrict external network exposure of the Destiny login interface to trusted networks where feasible
- Notify staff and students of phishing risk and instruct them to avoid clicking unsolicited Destiny links
Patch Information
Follett School Solutions addressed this vulnerability in Destiny version v22.0.1 AU1. Administrators should coordinate with their Follett support channel to confirm patch availability for hosted and on-premises deployments. Refer to the Securin Zero-Day Analysis for advisory references.
Workarounds
- Configure a web application firewall to block requests containing HTML or script metacharacters in the showSupportExpiredMessage parameter
- Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
- Set HttpOnly and Secure flags on session cookies to limit the impact of script-based cookie theft
# Example WAF rule (ModSecurity) blocking XSS payloads in the vulnerable parameter
SecRule ARGS:showSupportExpiredMessage "@rx (?i)(<script|javascript:|onerror=|onload=)" \
"id:1004709,phase:2,deny,status:403,msg:'CVE-2024-47096 XSS attempt on handleloginform.do'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
