Cross-site Scripting
RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the PrintSchedules.php script. A remote attacker could exploit this vulnerability using the include_inactive parameter in a crafted URL.
- Software Link: https://gitlab.com/francoisjacquet/rosariosis
- Version: 6.7.2
- Tested on: Windows 10
The vulnerable variable include_inactive must bypass the strip_tags sanitization and meet syntax constraints at the sink. The application execution flow is only reachable when modname and search_modfunc path constraints are satisfied.
- Log in as an admin user.
- Send the request.
- Observe the result:
http://rosariosis/Modules.php?modname=Scheduling/PrintSchedules.php&search_modfunc=list&include_inactive=" onmouseover="alert(1)"