CVE-2020-15718

MEDIUM NUCLEI

RosarioSIS 6.7.2 - Cross-Site Scripting via PrintSchedules.php include_inactive Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-15718. PoCs published by CodeSecLab. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in RosarioSIS 6.7.2 via the 'include_inactive' parameter in the Scheduling module. The PoC uses an 'onmouseover' event to trigger an alert, confirming the vulnerability.

Description

RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the PrintSchedules.php script. A remote attacker could exploit this vulnerability using the include_inactive parameter in a crafted URL.

Exploits (1)

exploitdb WORKING POC

by CodeSecLab · textwebappsphp

https://www.exploit-db.com/exploits/52449

View Code ZIP pw:eip

This exploit demonstrates a reflected XSS vulnerability in RosarioSIS 6.7.2 via the 'include_inactive' parameter in the Scheduling module. The PoC uses an 'onmouseover' event to trigger an alert, confirming the vulnerability.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: RosarioSIS 6.7.2

Auth required

Prerequisites: Admin access to the RosarioSIS application

MITRE ATT&CK