CVE-2020-15717

A remote attacker crafts a URL containing malicious JavaScript in the `advanced` parameter (e.g., `advanced=1%22onmouseover%3d%22alert(\`xss\`)%22`) and tricks a victim into clicking it [ref_id=1]. When the victim's browser renders the page, the unsanitized parameter value is injected into the HTML, causing the attacker's script to execute in the victim's session context [ref_id=1]. The attack requires no authentication and is delivered over HTTP GET [ref_id=1].

The vulnerability exists in `modules/Users/Search.inc.php`, `modules/Users/Preferences.php`, and `modules/Scheduling/PrintSchedules.php` [ref_id=1]. The `advanced` parameter in `Search.inc.php`, the `tab` parameter in `Preferences.php`, and the `include_inactive` parameter in `PrintSchedules.php` are echoed into HTML form `action` attributes without sanitization [ref_id=1].

The fix applies the `URLEscape()` function to user-supplied values before they are placed into form `action` attributes, as shown in the commit diff [ref_id=2]. For example, `echo '

1. Open a browser and navigate to: `http://RosarioSIS.edu/Modules.php?modname=Users/User.php&next_modname=Users/User.php&advanced=1%22onmouseover%3d%22alert(%60xss%60)%22` [ref_id=1]. 2. Hover over or interact with the injected element on the rendered page. 3. Observe that the JavaScript `alert('xss')` executes, confirming the reflected XSS [ref_id=1].