An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via a crafted request to the Password Change mechanism.
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.