SQL Injection in francoisjacquet/rosariosis
Description
SQL Injection in GitHub repository francoisjacquet/rosariosis prior to 9.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2022-2067 is a SQL injection vulnerability in RosarioSIS prior to v9.0 due to unsanitized database identifiers in several PHP files.
Vulnerability
Overview CVE-2022-2067 is a SQL injection vulnerability found in RosarioSIS, a student information system, in versions before 9.0. The root cause lies in the failure to properly escape database identifiers (such as column names) when building dynamic SQL queries. The official fix, as shown in commit 15d5e8700d538935b5c411b2a1e25bcf7e16c47c [4], adds calls to DBEscapeIdentifier() around user-influenced column names in multiple files including RegistrationSave.fnc.php, Calendar.php, MarkingPeriods.php, SchoolFields.php, AddressFields.php, PeopleFields.php, StudentFields.php, and UserFields.php [4].
Attack
Vector The vulnerability is present in the modules/School_Setup/Calendar.php file, specifically around line 498 [2], where column values are concatenated directly into SQL query strings without proper escaping. An attacker could exploit this by providing specially crafted input that modifies the SQL query structure. This requires some level of authenticated access (likely administrative or staff) to the vulnerable forms; the vulnerability is not directly unauthenticated. The attack surface involves any user-facing fields that map to database column names [1][2].
Impact
Successful exploitation could allow an attacker to execute arbitrary SQL commands on the backend database (MySQL/MariaDB or PostgreSQL). This could lead to unauthorized reading, modification, or deletion of sensitive school data, including student records, grades, attendance, and personal information [1]. The impact is severe because the application manages core school operations.
Mitigation
The vulnerability has been fixed in RosarioSIS version 9.0 [3]. Users are strongly advised to upgrade to this version or later. The fix systematically applies DBEscapeIdentifier() to all user-controlled column references in the affected files [4]. No workarounds are provided beyond the upgrade.
- GitHub - francoisjacquet/rosariosis: RosarioSIS Student Information System for school management.
- rosariosis/modules/School_Setup/Calendar.php at 51947b6cfc7f0df62ab3305839c89586004fbec2 · francoisjacquet/rosariosis
- NVD - CVE-2022-2067
- Fix SQL injection escape DB identifier · francoisjacquet/rosariosis@15d5e87
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
francoisjacquet/rosariosisPackagist | < 9.0 | 9.0 |
Affected products
2- francoisjacquet/francoisjacquet/rosariosisv5Range: unspecified
Patches
115d5e8700d53Fix SQL injection escape DB identifier
9 files changed · +9 −8
CHANGES.md+1 −0 modified@@ -53,6 +53,7 @@ Changes in 9.0 - Add AttrEscape() function in Inputs.php - Use AttrEscape() instead of htmlspecialchars(), program wide - Maintain Advanced search when editing Timeframe in Percent.php +- Fix SQL injection escape DB identifier in RegistrationSave.fnc.php, Calendar.php, MarkingPeriods.php, SchoolFields.php, AddressFields.php, PeopleFields.php, StudentFields.php & UserFields.php Changes in 8.9.4 ----------------
modules/Custom/includes/RegistrationSave.fnc.php+1 −1 modified@@ -407,7 +407,7 @@ function RegistrationSaveContactNameFields( $config, $values ) if ( ! empty( $value ) || $value == '0' ) { - $fields .= $column . ','; + $fields .= DBEscapeIdentifier( $column ) . ','; $values_sql .= "'" . $value . "',"; }
modules/School_Setup/Calendar.php+1 −1 modified@@ -500,7 +500,7 @@ if ( ! empty( $value ) || $value == '0' ) { - $fields .= $column . ','; + $fields .= DBEscapeIdentifier( $column ) . ','; $values .= "'" . $value . "',"; $go = true; }
modules/School_Setup/MarkingPeriods.php+1 −1 modified@@ -204,7 +204,7 @@ if ( ! empty( $value ) || $value === '0' ) { - $fields .= $column . ','; + $fields .= DBEscapeIdentifier( $column ) . ','; $values .= "'" . $value . "',";
modules/School_Setup/SchoolFields.php+1 −1 modified@@ -73,7 +73,7 @@ if ( ! empty( $value ) || $value == '0' ) { - $fields .= $column . ','; + $fields .= DBEscapeIdentifier( $column ) . ','; $values .= "'" . $value . "',";
modules/Students/includes/AddressFields.php+1 −1 modified@@ -91,7 +91,7 @@ if ( ! empty( $value ) || $value == '0' ) { - $fields .= $column . ','; + $fields .= DBEscapeIdentifier( $column ) . ','; $values .= "'" . $value . "',";
modules/Students/includes/PeopleFields.php+1 −1 modified@@ -91,7 +91,7 @@ if ( ! empty( $value ) || $value == '0' ) { - $fields .= $column . ','; + $fields .= DBEscapeIdentifier( $column ) . ','; $values .= "'" . $value . "',";
modules/Students/includes/StudentFields.php+1 −1 modified@@ -125,7 +125,7 @@ if ( ! empty( $value ) || $value == '0' ) { - $fields .= $column . ','; + $fields .= DBEscapeIdentifier( $column ) . ','; $values .= "'" . $value . "',";
modules/Users/UserFields.php+1 −1 modified@@ -134,7 +134,7 @@ if ( ! empty( $value ) || $value == '0' ) { - $fields .= $column . ','; + $fields .= DBEscapeIdentifier( $column ) . ','; $values .= "'" . $value . "',";
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3pqv-6pm3-g46jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2067ghsaADVISORY
- github.com/francoisjacquet/rosariosis/blob/51947b6cfc7f0df62ab3305839c89586004fbec2/modules/School_Setup/Calendar.phpghsaWEB
- github.com/francoisjacquet/rosariosis/commit/15d5e8700d538935b5c411b2a1e25bcf7e16c47cghsax_refsource_MISCWEB
- huntr.dev/bounties/a85a53a4-3009-4f41-ac33-8bed8bbe16a8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.