CVE-2021-44566

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in RosarioSIS versions before 4.3. The flaw resides in the SanitizeMarkDown function within ProgramFunctions/MarkDownHTML.fnc.php. The function fails to properly sanitize user-provided Markdown input, allowing injection of arbitrary HTML and JavaScript. Affected versions include all releases prior to the 4.3 branch [1][2].

Exploitation

An attacker with the ability to submit Markdown content—for example, through text areas or input fields that process Markdown—can inject malicious scripts. The attacker crafts Markdown containing HTML or JavaScript payloads. When the SanitizeMarkDown function processes this input, the insufficient filtering allows the malicious code to pass through unsanitized. No authentication is required if the vulnerable input fields are accessible to unauthenticated users; otherwise, an authenticated user with appropriate privileges can trigger the stored XSS [3].

Impact

Successful exploitation leads to stored XSS, where the injected script is permanently stored on the server and executed in the browser of any user viewing the affected content. This can result in session hijacking, data theft, defacement, or redirection to malicious sites. The attacker gains the ability to perform actions as the victim within the context of the RosarioSIS application, potentially compromising sensitive information [2][3].

Mitigation

The vulnerability was fixed in RosarioSIS version 4.3. The fix adds an explicit call to $security->xss_clean() on the generated Markdown output within the SanitizeMarkDown function [2]. Users should upgrade to RosarioSIS 4.3 or later. No workaround is documented; upgrading to the patched version is the recommended course of action. This CVE is not listed in CISA's Known Exploited Vulnerabilities Catalog [1].