Francoisjacquet Rosariosis vulnerabilities

CVE-2024-3138 [LOW] CWE-79 CVE-2024-3138: ** DISPUTED ** A vulnerability was found in francoisjacquet RosarioSIS 11.5.1. It has been rated as ** DISPUTED ** A vulnerability was found in francoisjacquet RosarioSIS 11.5.1. It has been rated as problematic. This issue affects some unknown processing of the component Add Portal Note. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence o

CVE-2023-2665 [HIGH] CWE-921 RosarioSIS Stores Sensitive Data in a Mechanism without Access Control RosarioSIS Stores Sensitive Data in a Mechanism without Access Control RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the `salaries` module. In addition, the file names contain a date in a `YYYY-MM-DD` format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow

CVE-2023-29918 [MEDIUM] CWE-1236 RosarioSIS vulnerable to CSV Injection RosarioSIS vulnerable to CSV Injection RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.

CVE-2023-2202 [MEDIUM] CWE-284 RosarioSIS improper access control vulnerability RosarioSIS improper access control vulnerability RosarioSIS prior to version 10.9.3 has a vulnerability that allows a user to return to a page containing personally identifiable information (PII) and sensitive information even after logging out of the application by using the browser's back button.

CVE-2023-0994 [HIGH] CWE-200 RosarioSIS Improper Access Control vulnerability RosarioSIS Improper Access Control vulnerability Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.8.2.

CVE-2022-2714 [HIGH] CWE-130 RosarioSIS before 10.1 vulnerable to Improper Handling of Length Parameter Inconsistency RosarioSIS before 10.1 vulnerable to Improper Handling of Length Parameter Inconsistency RosarioSIS Student Information System prior to version 10.1 is vulnerable to Improper Handling of Length Parameter Inconsistency.

CVE-2022-3072 [MEDIUM] CWE-79 francoisjacquet/rosariosis vulnerable to Cross-Site Scripting (XSS) francoisjacquet/rosariosis vulnerable to Cross-Site Scripting (XSS) Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 8.9.3.

CVE-2022-2067 [CRITICAL] CWE-89 SQL Injection in RosarioSIS SQL Injection in RosarioSIS SQL Injection in GitHub repository francoisjacquet/rosariosis prior to 9.0.

CVE-2022-2036 [MEDIUM] CWE-79 Cross site scripting in francoisjacquet/rosariosis Cross site scripting in francoisjacquet/rosariosis A Cross-site Scripting (XSS) vulnerability exists in in GitHub repository francoisjacquet/rosariosis prior to 9.1. HTML entities are not properly decoded from the URL.

CVE-2022-1997 [MEDIUM] CWE-79 Cross-site Scripting in RosarioSIS Cross-site Scripting in RosarioSIS Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 9.0.

CVE-2021-44567 [CRITICAL] CWE-89 SQL injection in francoisjacquet/rosariosis SQL injection in francoisjacquet/rosariosis An SQL Injection vulnerability exits in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php.

CVE-2021-44565 [MEDIUM] CWE-79 Cross site scripting in francoisjacquet/rosariosis Cross site scripting in francoisjacquet/rosariosis A Cross Site Scripting (XSS) vulnerabilty exits in RosarioSIS before 7.6.1 via the xss_clean function in classes/Security.php, which allows remote malicious users to inject arbitrary JaveScript of HTML.An example of affected components are all Markdown input fields.

CVE-2021-44566 [MEDIUM] CWE-79 Cross site scripting in francoisjacquet/rosariosis Cross site scripting in francoisjacquet/rosariosis A Cross Site Scripting vulnerability exists RosarioSIS before 4.3 via the SanitizeMarkDown function in ProgramFunctions/MarkDownHTML.fnc.php.

CVE-2020-15721 [MEDIUM] CWE-79 Cross-site Scripting in RosarioSIS Cross-site Scripting in RosarioSIS RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XSS because of the href attributes for AddStudents.php and User.php.

CVE-2021-45416 [MEDIUM] CWE-79 RosarioSIS XSS Vulnerability RosarioSIS XSS Vulnerability Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script.

CVE-2021-44427 [CRITICAL] CWE-89 SQL Injection in rosariosis SQL Injection in rosariosis An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.

CVE-2020-13278 [MEDIUM] CWE-79 Reflected cross-site scripting in francoisjacquet/rosariosis Reflected cross-site scripting in francoisjacquet/rosariosis Reflected Cross-Site Scripting vulnerability in Modules.php in RosarioSIS Student Information System < 6.5.1 allows remote attackers to execute arbitrary web script via embedding javascript or HTML tags in a GET request.