CVE-2024-47097 Overview
CVE-2024-47097 is a reflected Cross-Site Scripting (XSS) vulnerability [CWE-79] in Follett School Solutions Destiny Library Manager before v22.0.1 AU1. The flaw resides in the site parameter of the handleloginform.do endpoint, which fails to properly sanitize user-supplied input before reflecting it into the HTTP response. A remote attacker can craft a malicious URL that executes arbitrary client-side JavaScript in the browser of any user who follows the link.
Destiny is widely deployed across K-12 school libraries for catalog and resource management, making the login interface a high-traffic target for phishing-style abuse.
Critical Impact
Attackers can hijack authenticated sessions, steal credentials submitted to the login form, or redirect users to attacker-controlled infrastructure by abusing the unsanitized site parameter.
Affected Products
- Follett School Solutions Destiny Library Manager versions prior to v22.0.1 AU1
- The handleloginform.do login handler endpoint
- Web-facing Destiny deployments accessible to students, staff, and external users
Discovery Timeline
- 2026-05-28 - CVE-2024-47097 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2024-47097
Vulnerability Analysis
The vulnerability is a reflected XSS flaw in the Destiny Library Manager login workflow. When a request reaches handleloginform.do, the application echoes the site query parameter back into the rendered HTML response without applying output encoding or input validation. An attacker who controls the value of site can inject arbitrary HTML and JavaScript that the victim's browser executes within the trust context of the Destiny application.
Because the payload runs in the same origin as the legitimate application, attacker-supplied script can read cookies that are not protected with HttpOnly, manipulate the Document Object Model (DOM) of the login page, and exfiltrate credentials entered by the user. The vulnerability requires user interaction, typically a click on a crafted link delivered through email, chat, or a third-party site.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The site parameter is incorporated into server-rendered output without HTML entity encoding or contextual escaping. The application treats parameter input as trusted markup rather than untrusted data, allowing script tags and event handlers to break out of their intended attribute or text context.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker constructs a URL pointing to the legitimate Destiny host with a malicious payload embedded in the site parameter of handleloginform.do. The attacker then distributes the URL through phishing emails, social media, or compromised pages targeting school staff and students. When a victim opens the link, the injected JavaScript executes in their browser, with access to any session state or form data tied to the Destiny origin.
No authentication is required to deliver the payload, and the login page is reachable by unauthenticated visitors, which broadens the attack surface across student, librarian, and administrator user populations.
Detection Methods for CVE-2024-47097
Indicators of Compromise
- Inbound HTTP requests to handleloginform.do where the site parameter contains <script>, javascript:, onerror=, onload=, or encoded variants such as %3Cscript%3E
- Outbound browser requests to unfamiliar domains immediately after a user visits the Destiny login page
- Web server access logs showing unusually long or URL-encoded site parameter values
- Reports from users describing unexpected pop-ups, redirects, or credential prompts on the Destiny login screen
Detection Strategies
- Inspect web application firewall (WAF) and reverse proxy logs for XSS signatures targeting the site query parameter
- Correlate referer headers and click-through patterns from external sources landing on handleloginform.do with suspicious parameter content
- Enable Content Security Policy (CSP) reporting to capture inline-script and external-script violations originating from the Destiny domain
Monitoring Recommendations
- Forward Destiny web server access logs to a centralized SIEM and alert on query strings containing common XSS payload patterns
- Monitor authentication telemetry for sessions created shortly after access to crafted URLs, which may indicate session hijacking
- Track referer chains for the Destiny login endpoint to identify campaigns distributing weaponized links
How to Mitigate CVE-2024-47097
Immediate Actions Required
- Upgrade Destiny Library Manager to version v22.0.1 AU1 or later, where the site parameter handling is corrected
- Restrict external exposure of the Destiny login interface to required user populations using network access controls
- Review recent web server logs for evidence of exploitation against handleloginform.do and rotate credentials for any affected accounts
Patch Information
Follett School Solutions addressed the vulnerability in Destiny v22.0.1 AU1. Administrators should apply the upgrade through standard Follett update channels. Refer to the Securin Zero-Day Analysis for additional technical context on the patched release.
Workarounds
- Deploy a WAF rule that blocks or sanitizes requests to handleloginform.do containing HTML tags, JavaScript URI schemes, or event-handler attributes in the site parameter
- Enforce a strict Content Security Policy that disallows inline script execution and limits script sources to trusted origins
- Set the HttpOnly and Secure flags on Destiny session cookies to reduce the impact of script-based cookie theft
- Educate library staff and end users to avoid clicking Destiny links received from untrusted sources until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
