CVE-2020-15716

An unauthenticated remote attacker can craft a URL containing a malicious `tab` parameter (e.g., `tab=1%22onmouseover%3d%22alert(%60xss%60)`) and trick a logged-in victim into clicking it [ref_id=1]. When the victim's browser renders the Preferences.php page, the unsanitized `tab` value is injected into the HTML, causing the attacker's JavaScript to execute in the victim's session context [CWE-79]. The attack requires no special privileges and is delivered via a GET request over HTTP [ref_id=1].

The vulnerability is in `modules/Users/Preferences.php`, where the `tab` parameter from `$_REQUEST['tab']` is directly echoed into a `

The patch replaces the direct concatenation of `$_REQUEST['tab']` into the form action with the `URLEscape()` function, which properly encodes special characters [ref_id=2]. The diff shows the change from `echo '

1. Log in to RosarioSIS as an admin user. 2. Send a GET request to `http://rosariosis/Modules.php?modname=Users/Preferences.php&tab=%22%20onmouseover%3Dalert%281%29%20x%3D%22` [ref_id=3]. 3. Observe that the JavaScript executes when the page renders, confirming the XSS [ref_id=1][ref_id=3].