Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script.
- Vendor: francoisjacquet
- Vendor Website: https://www.rosariosis.org/
- Affected Product: RosarioSIS
- Affected Versions: v8.2.1, however it is assumed earlier versions might be affected as well
- Use RosarioSIS 8.2.1.
- Open the URL vulnerable to XSS: http://localhost/rosariosis/Modules.php?modname=misc/ChooseCourse.php&modfunc=choose_course&course_modfunc=search&last_year=&search_term=%22%20onfocus%3D%22alert%28%60XSS%60%29 (make sure to replace localhost/rosariosis with your web server's path)
- Note that this website needs to be opened in a popup, for example using the javascript window.open() method. A proof of concept code is available in this repo.
User-supplied input in the search_term parameter is improperly neutralized in the modules/Scheduling/Courses.php script, which is accessible through ChooseCourse.php and ChooseRequest.php as shown in the proof of concept that you can find in this repo.
Update to the latest version of RosarioSIS. This issue was fixed in version v8.3.
- YouTube video showing the proof of concept: https://www.youtube.com/watch?v=PvFUxSGpWpY
- Commit containing the fix: https://gitlab.com/francoisjacquet/rosariosis/-/commit/aec018065ca12ecef03ee454a8112f992ea35315
- Changelog for version v8.3: https://gitlab.com/francoisjacquet/rosariosis/blob/mobile/CHANGES.md#changes-in-83
- 01.02.2022 - CVE published by MITRE
- 27.01.2022 - CVE was assigned and marked as reserved
- 17.12.2021 - Requested CVE through MITRE webform
- 22.10.2021 - Vendor released new version containing the fix (v8.3)
- 20.10.2021 - Received reply from vendor, along with a link to a new commit fixing the issue and the announcement that a new release containing the fix will follow in the same week. Vendor asked me to wait two months after that release before public disclosure.
- 20.10.2021 - Initial report to vendor
- 20.10.2021 - Finding of vulnerability