Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis
Description
Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 9.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in RosarioSIS before 9.0.1 allows attackers to inject arbitrary JavaScript via a crafted URL that is not properly decoded.
Vulnerability
Overview
CVE-2022-2036 is a stored cross-site scripting (XSS) vulnerability in RosarioSIS, an open-source Student Information System, affecting all versions prior to 9.0.1 [1]. The root cause lies in the PreparePHP_SELF.fnc.php file, where the application fails to properly decode HTML entities from URL parameters before using them in output. Specifically, the html_entity_decode function was called without the ENT_QUOTES | ENT_HTML5 flags, leaving single quotes and other entities unescaped, which allowed attackers to break out of the intended context [3].
Exploitation and
Attack Surface
An attacker can exploit this vulnerability by crafting a malicious URL containing encoded HTML entities, such as ' (representing a single quote) or other JavaScript-payload sequences. When the application processes this URL, the insufficient decoding preserves the malicious content, which is then stored and later rendered in the context of another user's browser session [2]. No authentication is required for the initial injection point, but the stored payload will execute when any user (including administrators) views the affected page. The attack vector is network-based with low complexity [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, theft of sensitive data (e.g., student records, credentials), defacement of the application UI, or further attacks such as keylogging or redirecting users to malicious sites. Because the payload is stored, every subsequent visitor to the affected page is at risk, amplifying the impact across the organization [2].
Mitigation
The vulnerability was fixed in RosarioSIS version 9.0.1, released on or around June 9, 2022 [3]. The commit introduces proper entity decoding by adding the ENT_QUOTES | ENT_HTML5 flags to the html_entity_decode call, ensuring that all HTML entities (including single quotes) are correctly decoded and neutralized [3]. Administrators are strongly advised to upgrade to 9.0.1 or later. No workarounds are known; upgrading is the only reliable mitigation. This CVE has been catalogued by CISA's Known Exploited Vulnerabilities (KEV) list, emphasizing the need for immediate patching.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
francoisjacquet/rosariosisPackagist | < 9.1 | 9.1 |
Affected products
2- francoisjacquet/francoisjacquet/rosariosisv5Range: unspecified
Patches
16e213b17e6acFix stored XSS security issue: decode HTML entities from URL
2 files changed · +5 −1
CHANGES.md+4 −0 modified@@ -1,6 +1,10 @@ # CHANGES ## RosarioSIS Student Information System +Changes in 9.0.1 +---------------- +- Fix stored XSS security issue: decode HTML entities from URL in PreparePHP_SELF.fnc.php, thanks to @domiee13 + Changes in 9.0 -------------- - CSS add length to previous meals select in DailyMenus.php
functions/PreparePHP_SELF.fnc.php+1 −1 modified@@ -191,7 +191,7 @@ function( $match ) { ); // Fix stored XSS security issue: decode HTML entities from URL. - $string = html_entity_decode( (string) $string ); + $string = html_entity_decode( (string) $string, ENT_QUOTES | ENT_HTML5 ); $remove = [ // Fix stored XSS security issue: remove inline JS from URL.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4hpr-hh77-6q9pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2036ghsaADVISORY
- github.com/francoisjacquet/rosariosis/commit/6e213b17e6ac3a3961e1eabcdaba1c892844398aghsax_refsource_MISCWEB
- huntr.dev/bounties/c7715149-f99c-4d62-a5c6-c78bfdb41905ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.