CVE-2023-2665

Name of the Vulnerable Software and Affected Versions RosarioSIS versions prior to 11.0

Description The issue allows unauthorized access to sensitive data due to a lack of access control in a mechanism. Specifically, it enables anyone to download and view file attachments under the salaries module, regardless of their authentication status. The file names follow a predictable format, including a date in YYYY-MM-DD format and a random six-digit string, making it relatively easy for attackers to enumerate file names using automated tools. This could potentially allow attackers to gain access to sensitive salary information.

Recommendations For versions prior to 11.0, update to version 11.0 or later, which includes a patch that adds microseconds to filenames, making them harder to guess and thereby mitigating the risk of unauthorized access to sensitive salary information.