CVE-2021-3262
CRITICALTripSpark VEO Transportation <2.2.x - SQL Injection
Title source: llmDescription
TripSpark VEO Transportation-2.2.x-XP_BB-20201123-184084 NovusEDU-2.2.x-XP_BB-20201123-184084 allows unsafe data inputs in POST body parameters from end users without sanitizing using server-side logic. It was possible to inject custom SQL commands into the "Student Busing Information" search queries.
References (3)
Core 3
Core References
Product
http://tripspark.com
Broken Link
http://veo.com
Exploit, Third Party Advisory
https://susos.co/blog/f/cve-disclosureuncovered-sql-injection-in-tripspark-veo-transport
Scores
CVSS v3
9.8
EPSS
0.0101
EPSS Percentile
59.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
trispark/novusedu
2.2.x-xp_bb-20201123-184084
trispark/veo_transportation
2.2.x-xp_bb-20201123-184084os
Published
Aug 29, 2023
Tracked Since
Feb 18, 2026