Moderate severityNVD Advisory· Published Sep 1, 2022· Updated Aug 3, 2024

Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis

CVE-2022-3072

Description

Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacquet/rosariosis prior to 8.9.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

RosarioSIS prior to 8.9.3 contains a stored XSS vulnerability via unsanitized SVG file uploads.

Root

Cause

RosarioSIS, a student information system, stored a cross-site scripting (XSS) vulnerability in versions prior to 8.9.3. The flaw lies in the lack of sanitization for SVG files during file upload. An attacker can craft an SVG containing malicious JavaScript, which is then stored and served to other users without proper filtering [1][2].

Exploitation

An authenticated user with file upload privileges can supply an SVG file that contains embedded JavaScript. When the SVG is later rendered in a browser (for example, in a user's profile or document viewer), the script executes in the context of the victim's session. No special network position is required beyond being able to upload files, and the vulnerability is classified as a stored XSS [1][3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who views the malicious SVG. This can lead to session hijacking, data theft, or defacement within the application. The CVSS score of 6.1 (Medium) reflects the need for some privileges and user interaction [1].

Mitigation

The vulnerability is fixed in RosarioSIS version 8.9.3, which disallows unsanitized SVG uploads [2]. Administrators should update to this version or later. No known exploitation in the wild is mentioned in the provided references, but users of prior versions should prioritize patching.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
francoisjacquet/rosariosisPackagist	< 8.9.3	8.9.3

Affected products

ghsa-coords
pkg:composer/francoisjacquet/rosariosis
Range: < 8.9.3
francoisjacquet/francoisjacquet/rosariosisv5
Range: unspecified

Patches

dcd3b86156bf

Fix stored XSS security issue: do not allow unsanitized SVG

https://github.com/francoisjacquet/rosariosisFrançois JacquetApr 21, 2022via ghsa

commit

2 files changed · +6 −1

CHANGES.md+4 −0 modified

@@ -1,6 +1,10 @@
 # CHANGES
 ## RosarioSIS Student Information System
 
+Changes in 8.9.3
+----------------
+- Fix stored XSS security issue: do not allow unsanitized SVG in FileUpload.fnc.php, thanks to @scgajge12 & @crowdoverflow
+
 Changes in 8.9.2
 ----------------
 - Fix invalidate User School in session on login in index.php

ProgramFunctions/FileUpload.fnc.php+2 −1 modified

@@ -794,7 +794,8 @@ function FileExtensionWhiteList() {
 		'.png',
 		'.gif',
 		'.bmp',
-		'.svg',
+		// @since 8.9.3 Fix stored XSS security issue: do not allow unsanitized SVG
+		// '.svg',
 		'.ico',
 		'.psd',
 		'.ai',

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2mh7-qxcw-q39gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-3072ghsaADVISORY
github.com/francoisjacquet/rosariosis/commit/dcd3b86156bf9e981944e1a9e01ea23d8ad7c83aghsax_refsource_MISCWEB
gitlab.com/francoisjacquet/rosariosis/blob/mobile/CHANGES.mdghsaWEB
huntr.dev/bounties/9755ae6a-b08b-40a0-8089-c723b2d9ca52ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000