francoisjacquet/rosariosis on GitLab
RosarioSIS Student Information System for school management
CVE History
| CVE | Published | CVSS v2 | CVSS v3 |
|---|---|---|---|
| CVE-2021-44565 | 5.4 MEDIUM | 3.5 LOW | |
| A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before 7.6.1 via the xss_clean function in classes/Security.php, which allows remote malicious users to inject arbitrary JavaScript or HTML. An example of affected components are all Markdown input fields. | |||
| CVE-2021-44566 | 5.4 MEDIUM | 3.5 LOW | |
| A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before 4.3 via the SanitizeMarkDown function in ProgramFunctions/MarkDownHTML.fnc.php. | |||
| CVE-2021-44567 | 9.8 CRITICAL | 7.5 HIGH | |
| An unauthenticated SQL Injection vulnerability exists in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php. | |||
| CVE-2021-44427 | 9.8 CRITICAL | 7.5 HIGH | |
| An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter. | |||
| CVE-2020-13278 | 6.1 MEDIUM | 4.3 MEDIUM | |
| Reflected Cross-Site Scripting vulnerability in Modules.php in RosarioSIS Student Information System < 6.5.1 allows remote attackers to execute arbitrary web script via embedding javascript or HTML tags in a GET request. | |||
| CVE-2020-15718 | 6.1 MEDIUM | 4.3 MEDIUM | |
| RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the PrintSchedules.php script. A remote attacker could exploit this vulnerability using the include_inactive parameter in a crafted URL. | |||
| CVE-2020-15716 | 6.1 MEDIUM | 4.3 MEDIUM | |
| RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL. | |||
| CVE-2020-15717 | 6.1 MEDIUM | 4.3 MEDIUM | |
| RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Search.inc.php script. A remote attacker could exploit this vulnerability using the advanced parameter in a crafted URL. | |||
| CVE-2020-15721 | 6.1 MEDIUM | 4.3 MEDIUM | |
| RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XSS because of the href attributes for AddStudents.php and User.php. | |||