Macadoshis

CVE-2020-15716 WRITEUP MEDIUM WRITEUP

RosarioSIS 6.7.2 - Cross-Site Scripting via Preferences.php Tab Parameter

RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL.

CVSS 6.1

View Code

CVE-2020-15718 WRITEUP MEDIUM WRITEUP

RosarioSIS 6.7.2 - Cross-Site Scripting via PrintSchedules.php include_inactive Parameter

RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the PrintSchedules.php script. A remote attacker could exploit this vulnerability using the include_inactive parameter in a crafted URL.

CVSS 6.1

View Code

CVE-2021-44567 WRITEUP CRITICAL WRITEUP

RosarioSIS < 7.6.1 - Unauthenticated SQL Injection via PortalPollsNotes Votes Parameter

An unauthenticated SQL Injection vulnerability exists in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php.

CVSS 9.8

View Code

CVE-2020-15717 WRITEUP MEDIUM WRITEUP

RosarioSIS 6.7.2 - Cross-Site Scripting via Search.inc.php Advanced Parameter

RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Search.inc.php script. A remote attacker could exploit this vulnerability using the advanced parameter in a crafted URL.

CVSS 6.1

View Code

CVE-2020-15721 WRITEUP MEDIUM WRITEUP

RosarioSIS < 6.8 - Cross-Site Scripting via NotifyParents.php href Attributes

RosarioSIS through 6.8-beta allows modules/Custom/NotifyParents.php XSS because of the href attributes for AddStudents.php and User.php.

CVSS 6.1

View Code

CVE-2021-44565 WRITEUP MEDIUM WRITEUP

RosarioSIS < 7.6.1 - Cross-Site Scripting via Markdown Input Fields

A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before 7.6.1 via the xss_clean function in classes/Security.php, which allows remote malicious users to inject arbitrary JavaScript or HTML. An example of affected components are all Markdown input fields.

CVSS 5.4

View Code