Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis
Description
Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 9.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RosarioSIS prior to 9.0 contains a stored XSS vulnerability due to insufficient sanitization of user-controlled URL parameters.
Vulnerability
Analysis CVE-2022-1997 is a stored cross-site scripting (XSS) vulnerability in RosarioSIS, a student information system, affecting versions prior to 9.0 [1]. The root cause lies in the PreparePHP_SELF.fnc.php file, which uses inline JavaScript from the URL without proper sanitization [3]. The fix addresses this by changing strpos to stripos for case-insensitive string filtering, removing malicious inline JavaScript from the URL [3].
Exploitation
An attacker with access to craft or influence a URL can inject arbitrary JavaScript code that becomes stored and executed when other users visit the affected page [2]. No authentication is explicitly required for the injection, though the attack surface is limited to user-controllable input processed by the PreparePHP_SELF function [2, 3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a victim's browser, potentially leading to session hijacking, data theft, or defacement [2]. Because the XSS is stored, the malicious script persists and can affect multiple users without further interaction from the attacker [2].
Mitigation
The vulnerability is fixed in RosarioSIS version 9.0 [2]. The official commit [3] provides the necessary patch, and administrators are advised to update to the latest version or apply the commit manually.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
francoisjacquet/rosariosisPackagist | < 9.0 | 9.0 |
Affected products
2- francoisjacquet/francoisjacquet/rosariosisv5Range: unspecified
Patches
16b22c0b5b40fFix stored XSS security issue: remove inline JS from URL in PreparePHP_SELF.fnc.php
1 file changed · +1 −1
functions/PreparePHP_SELF.fnc.php+1 −1 modified@@ -200,7 +200,7 @@ function( $match ) { foreach ( $remove as $remove_string ) { - while ( strpos( $string, $remove_string ) !== false ) + while ( stripos( $string, $remove_string ) !== false ) { $string = str_ireplace( $remove, '', $string ); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-wjh9-344g-vc49ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-1997ghsaADVISORY
- github.com/francoisjacquet/rosariosis/commit/6b22c0b5b40fad891c8cf9e7eeff3e42a35c0bf8ghsax_refsource_MISCWEB
- huntr.dev/bounties/28861ae9-7b09-45b7-a003-eccf903db71dghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.