CVE-2021-44565
Description
A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before 7.6.1 via the xss_clean function in classes/Security.php, which allows remote malicious users to inject arbitrary JavaScript or HTML. An example of affected components are all Markdown input fields.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-Site Scripting (XSS) in RosarioSIS before 7.6.1 via xss_clean function allows arbitrary JavaScript/HTML injection in Markdown fields.
Vulnerability
A Cross-Site Scripting (XSS) vulnerability exists in RosarioSIS versions before 7.6.1, specifically in the xss_clean function in classes/Security.php. This function is used to sanitize user input in Markdown fields and other input areas, but it is based on an outdated CodeIgniter 2.1.3 filter that is susceptible to bypass. All Markdown input fields are affected [1][2].
Exploitation
An attacker can exploit this by crafting malicious input that bypasses the xss_clean filter. The proof of concept from [2] demonstrates that an admin user can log in, navigate to School_Setup/PortalNotes.php, and create a note containing malicious JavaScript or HTML. While the PoC uses admin, other user roles (students, teachers) may also be able to exploit the vulnerability in other parts of the application where the vulnerable function is used [2].
Impact
Successful exploitation allows a remote attacker to inject arbitrary JavaScript or HTML, leading to Cross-Site Scripting (XSS). This can result in session hijacking, website defacement, or redirection to malicious sites [1][2].
Mitigation
The vulnerability is fixed in RosarioSIS version 7.6.1, as indicated by the commit [3]. Users should upgrade to version 7.6.1 or later. No other workarounds are publicly documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
francoisjacquet/rosariosisPackagist | < 7.6.1 | 7.6.1 |
Affected products
2- RosarioSIS/RosarioSISdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-44cg-qcpr-fwjhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-44565ghsaADVISORY
- gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.mdghsax_refsource_MISCWEB
- gitlab.com/francoisjacquet/rosariosis/-/commit/0f5d1f1d193bc6b711d1644f172579d498ec1636ghsax_refsource_MISCWEB
- gitlab.com/francoisjacquet/rosariosis/-/issues/307ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.