CVE-2020-15721

Vulnerability

Description CVE-2020-15721 is a reflected cross-site scripting (XSS) vulnerability in RosarioSIS up to version 6.8-beta. The flaw resides in the modules/Custom/NotifyParents.php file, where the href attributes of links to AddStudents.php and User.php are constructed without proper escaping, allowing injection of malicious scripts [1][3].

Exploitation

An attacker can exploit this by crafting a URL that includes malicious JavaScript in the parameters (e.g., staff_id) that are directly concatenated into the href. When a victim, typically an authenticated user, clicks the crafted link or hovers over it (if using event handlers), the script executes in the context of the application. No authentication is required to deliver the payload, but the victim must be logged in for full impact [3].

Impact

Successful exploitation leads to reflected XSS, enabling the attacker to steal session cookies, perform actions on behalf of the victim, or deface the web interface. The vulnerability has a CVSS v3.1 base score of 6.1 (Medium) according to the NVD [1], with confidentiality and integrity impacts limited but no availability impact.

Mitigation

The issue was fixed in commit c4a69486 by applying the URLEscape() function to the href attributes [3]. Users are advised to upgrade to a version beyond 6.8-beta or apply the patch manually. Note that the same GitLab issue (#291) also covers other XSS locations, but the specific fix for NotifyParents.php is addressed in this commit [2][3].