This year Schoolbox has committed to further improving and enhancing our security and privacy controls across the board. We are on a journey to achieving compliance with a range of security frameworks including ST4S and ISO27001. We have worked to enhance our policies, documentation, product and processes.
At the beginning of this year Schoolbox engaged a 3rd party independent security company, The Missing Link. The security consultants were tasked with scanning both our organisations perimeter defences and our product.
Schoolbox is being frequently penetration tested as part of independent assessments being performed by our schools, their security consultants and their students. We have been very appreciative over the years for the exploits discovered and insights generated by these audits. It has given us a unique opportunity to see how well many different vendors have approached this task.
Back in 2022 The Missing Link reached out to us as part of their responsible disclosure process to seek remediation for an exploit they discovered. That discussion led to the very first CVE-2022-3059 being reported. We took note of the novel exploit discovery and the professional way they reported the issue.
Following on from that successful collaboration, when it came time to do our own audit we were confident The Missing Link would do the deep analysis required to find any exploits. During January The Missing Link team commenced work and as they discovered issues our development team was immediately able to remediate and fix any exploits discovered. This ensured that any customers running that latest version of Schoolbox 23.1.3+ received immediate patches for all discovered issues.
The report identified a total of 13 issues spread across a range of different risk ratings.
| Risk Rating | Number |
| Critical | 1 |
| High | 1 |
| Medium | 1 |
| Low | 7 |
| Informational | 3 |
From this we choose to publish 4 CVE that were discovered during this penetration test that we deemed as potential risk for exploitation:
- CVE-2024-28094: SQL Injection in Chat
- CVE-2024-28095: XSS in News
- CVE-2024-28096: XSS in Class
- CVE-2024-28097: XSS in Calendar
As these security exploits are now publicly disclosed, we highly recommend that all schools ensure they are running the latest version of Schoolbox 23.1 to ensure you are protected from these exploits. If you are interested in more information regarding this audit or would like a copy of the audit please reach out via Support.
Following the penetration test, The Missing Link also conducted a workshop with our development team to discuss best practices and highlight key areas for the team to focus on with future development. Overall we found this engagement to be highly productive and will be continuing to engage with The Missing Link on future security campaigns.
