VYPR
← All advisories
Critical severityNVD Advisory· Published Nov 29, 2021· Updated Aug 4, 2024

CVE-2021-44427

CVE-2021-44427

Description

An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated SQL injection in RosarioSIS before 8.1.1 allows remote attackers to execute arbitrary PostgreSQL statements via the syear parameter in /Side.php.

Vulnerability

Rosario Student Information System (RosarioSIS) versions before 8.1.1 contain an unauthenticated SQL Injection vulnerability in /Side.php. The syear parameter is not properly sanitized, allowing an attacker to inject malicious SQL statements. The vulnerability stems from improper access control combined with insufficient input validation, as detailed in the reported advisory [1]. Affected versions include 8.1 and earlier releases before the fix was applied.

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to /Side.php with a malicious value in the syear parameter. No authentication or prior access is required. The advisory provides a proof-of-concept using sqlmap to execute arbitrary PostgreSQL statements such as SELECT, INSERT, UPDATE, and DELETE [1]. The attack is straightforward due to the lack of access controls and sanitization on the parameter.

Impact

Successful exploitation allows an attacker to execute arbitrary PostgreSQL statements against the database. This leads to full compromise of confidentiality, integrity, and availability (CIA) of the system, as an attacker can read, modify, or delete sensitive student and administrative data. The CVSS v3.1 score is 9.8 (Critical) [1][2], indicating the severe impact of unauthenticated remote code execution in the context of the database.

Mitigation

The vulnerability is fixed in RosarioSIS version 8.1.1 [1][2]. The fix involved sanitizing input from $_REQUEST and moving vulnerable code to properly handled functions [4]. Users should upgrade to 8.1.1 or later immediately. There are no known workarounds for this issue. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) as of the publication date.

References
  1. Improper Access Control leading to Unauthenticated SQL Injection (#328) · Issues · François Jacquet / rosariosis · GitLab
  2. NVD - CVE-2021-44427
  3. Fix #308 Unauthenticated SQL injection. Use sanitized `$_REQUEST` + Move... (e001430a) · Commits · François Jacquet / rosariosis · GitLab

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
francoisjacquet/rosariosisPackagist
< 8.1.18.1.1

Affected products

2

Patches

1
e001430aa9fb

Fix #308 Unauthenticated SQL injection. Use sanitized `$_REQUEST` + Move Portal Poll vote code to modfunc

https://github.com/francoisjacquet/rosariosisFrançois JacquetJan 30, 2021via ghsa
commit
3 files changed · +22 30
  • CHANGES.md+2 0 modified
    @@ -4,6 +4,8 @@
 Changes in 7.6.1
 ----------------
 - Fix #307 XSS update CodeIgniter Security class in classes/Security.php, thanks to @DustinBorn
+- Move Portal Poll vote code to modfunc in PortalPollNotes.php & Portal.php
+- Fix #308 Unauthenticated SQL injection. Use sanitized `$_REQUEST` in Portal.php, thanks to @DustinBorn
 
 Changes in 7.6
 --------------
  • modules/misc/Portal.php+19 0 modified
    @@ -19,6 +19,25 @@
 	_redirectTakeAttendance();
 }
 
+// AJAX poll vote call.
+
+if ( $_REQUEST['modfunc'] === 'poll_vote'
+	&& ! empty( $_POST['votes'] ) )
+{
+	// Fix #308 Unauthenticated SQL injection. Use sanitized $_REQUEST.
+	foreach ( (array) $_REQUEST['votes'] as $poll_id => $votes_array )
+	{
+		if ( ! empty( $votes_array ) )
+		{
+			// Result is displayed inside "divPortalPoll[id]" target div.
+			echo PortalPollsVote( $poll_id, $votes_array );
+
+			// Do not go further.
+			exit();
+		}
+	}
+}
+
 DrawHeader( ProgramTitle() );
 
 DrawHeader( '<span id="salute"></span>' );
  • ProgramFunctions/PortalPollsNotes.fnc.php+1 30 modified
    @@ -2,8 +2,6 @@
 /**
  * Portal Polls and Portal Notes functions.
  *
- * @todo Format code!
- *
  * @package RosarioSIS
  * @subpackage ProgramFunctions
  */
@@ -241,7 +239,7 @@ function PortalPollForm( $poll_id, $poll_questions_RET )
 	}
 
 	$poll_form .= '<form method="POST" id="formPortalPoll' . $poll_id . '"
-		action="ProgramFunctions/PortalPollsNotes.fnc.php"
+		action="Modules.php?modname=misc/Portal.php&modfunc=poll_vote"
 		target="divPortalPoll' . $poll_id . '">
 	<table class="width-100p widefat">';
 
@@ -364,33 +362,6 @@ function PortalPollsVotesDisplay( $poll_id, $display_votes, $poll_questions_RET,
 	return $votes_display;
 }
 
-// AJAX vote call:
-
-if ( isset( $_POST['votes'] )
-	&& is_array( $_POST['votes'] ) )
-{
-	if ( empty( $_SERVER['HTTP_X_REQUESTED_WITH'] )
-		|| $_SERVER['HTTP_X_REQUESTED_WITH'] !== 'XMLHttpRequest' )
-	{
-		die( 'Error: no AJAX' );
-	}
-
-	chdir( '../' );
-
-	require_once 'Warehouse.php';
-
-	foreach ( (array) $_POST['votes'] as $poll_id => $votes_array )
-	{
-		if ( ! empty( $votes_array ) )
-		{
-			echo PortalPollsVote( $poll_id, $votes_array );
-			break;
-		}
-	}
-
-	exit();
-}
-
 /**
  * @param $value
  * @param $name

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.