François Jacquet

**Name of the Vulnerable Software and Affected Versions** RosarioSIS Student Information System versions prior to 6.5.1 **Description** The issue concerns a Reflected Cross-Site Scripting vulnerability. This allows remote attackers to execute arbitrary web script via embedding javascript or HTML tags in a GET request. **Recommendations** For versions prior to 6.5.1, update to version 6.5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** RosarioSIS version 6.7.2 **Description** The issue is caused by improper validation of user-supplied input by the Preferences.php script, allowing for XSS attacks. A remote attacker could exploit this using the `tab` parameter in a crafted URL, such as "/preferences.php?tab=". **Recommendations** For RosarioSIS version 6.7.2, update the Preferences.php script to properly validate user-supplied input to prevent XSS attacks. As a temporary workaround, consider restricting access to the Preferences.php script until a patch is available. Avoid using the `tab` parameter in crafted URLs until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** RosarioSIS version 6.7.2 **Description** The issue is caused by improper validation of user-supplied input by the Search.inc.php script, allowing for XSS attacks. A remote attacker could exploit this using the `advanced` parameter in a crafted URL, such as "/api/v1/search" or similar endpoints. **Recommendations** For RosarioSIS version 6.7.2, update the Search.inc.php script to properly validate user-supplied input, specifically the `advanced` parameter, to prevent XSS attacks. As a temporary workaround, consider restricting access to the Search.inc.php script until a patch is available.

**Name of the Vulnerable Software and Affected Versions** RosarioSIS version 6.7.2 **Description** The issue is caused by improper validation of user-supplied input by the PrintSchedules.php script, allowing a remote attacker to exploit it using the `include inactive` parameter in a crafted URL. **Recommendations** For RosarioSIS version 6.7.2, consider disabling the PrintSchedules.php script or restricting access to it until a patch is available. Avoid using the `include inactive` parameter in crafted URLs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.