PT-2020-14603 · Rosariosis · Rosariosis

François Jacquet

Published

2020-07-15

Updated

2020-07-22

CVE-2020-15716

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions RosarioSIS version 6.7.2

Description The issue is caused by improper validation of user-supplied input by the Preferences.php script, allowing for XSS attacks. A remote attacker could exploit this using the tab parameter in a crafted URL, such as "/preferences.php?tab=".

Recommendations For RosarioSIS version 6.7.2, update the Preferences.php script to properly validate user-supplied input to prevent XSS attacks. As a temporary workaround, consider restricting access to the Preferences.php script until a patch is available. Avoid using the tab parameter in crafted URLs until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-15716

Affected Products

Rosariosis

PT-2020-14603 · Rosariosis · Rosariosis

CVE-2020-15716

Weakness Enumeration

Related Identifiers

Affected Products

References · 9