CVE-2021-45416

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in RosarioSIS version 8.2.1 and possibly earlier versions. The issue resides in the modules/Scheduling/Courses.php script, where the search_term parameter from user input is not properly sanitized before being echoed back in the HTML response. This occurs when the script is accessed via Modules.php?modname=misc/ChooseCourse.php with modfunc=choose_course and course_modfunc=search. The vulnerable code directly outputs the value of $_REQUEST['search_term'] without encoding, allowing arbitrary HTML and script injection [2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing the search_term parameter with injected JavaScript. The victim must be tricked into opening this URL, typically via a popup window using JavaScript's window.open() method. No authentication is required to trigger the reflection, and the attack does not require any special network position beyond normal user access. A proof-of-concept demonstrates using an onfocus event handler to execute JavaScript when the input field gains focus [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, data theft, defacement, or further attacks against the user. The attacker gains the same privileges as the victim user within the RosarioSIS application [2].

Mitigation

The vulnerability was fixed in RosarioSIS version 8.3, released on October 22, 2021. The fix involves encoding HTML special characters using htmlspecialchars() on the search_term value before output [3]. Users should upgrade to version 8.3 or later. No workarounds are provided for earlier versions [2].