CVE-2020-15718

A remote attacker crafts a URL containing a malicious payload in the `include_inactive` parameter, such as `include_inactive=1%22onmouseover%3d%22alert(1)%22style%3d%22` [ref_id=1]. The attacker sends this URL to a victim (e.g., via phishing). When the victim, who must be logged into RosarioSIS, visits the URL, the unescaped parameter value is injected into the HTML, and the `onmouseover` event handler executes the attacker's JavaScript when the victim moves their mouse over the injected element [ref_id=1]. The attack requires no authentication beyond the victim being logged in, and no special privileges [ref_id=1].

The vulnerability is in `modules/Scheduling/PrintSchedules.php`, where the `include_inactive` parameter is reflected into the page without proper escaping [ref_id=1]. The same class of issue also affects `modules/Users/Preferences.php` (the `tab` parameter) and `modules/Users/Search.inc.php` (the `advanced` parameter) [ref_id=1].

The fix, introduced in version 6.8, wraps the `$_REQUEST['modname']` value (and other user-supplied values used in form actions) with the `URLEscape()` function before embedding them in HTML [ref_id=2]. The commit message states "Fix #291 XSS Use URLEscape() for forms action, program wide" [ref_id=2]. `URLEscape()` properly encodes special characters, preventing an attacker from breaking out of the attribute context and injecting arbitrary HTML or JavaScript. The remediation example in the issue also shows using `htmlspecialchars(strip_tags())` on the `tab` parameter as an alternative approach [ref_id=1].

1. Log in to RosarioSIS 6.7.2 as an admin user [ref_id=3]. 2. Send a GET request to the following URL (adjust host as needed): `http://rosariosis/Modules.php?modname=Scheduling/PrintSchedules.php&search_modfunc=list&include_inactive=" onmouseover="alert(1)"` [ref_id=3]. 3. Move the mouse over the injected element on the resulting page to trigger the XSS payload [ref_id=1][ref_id=3].