Exposure of Sensitive Information to an Unauthorized Actor in francoisjacquet/rosariosis
Description
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository francoisjacquet/rosariosis prior to 10.8.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RosarioSIS prior to 10.8.2 exposed sensitive information by using predictable filenames for uploaded student assignments, allowing unauthorized access.
Vulnerability
Description
CVE-2023-0994 is an information exposure vulnerability in RosarioSIS, a student information system, affecting versions prior to 10.8.2. The vulnerability stems from predictable filenames generated for uploaded student assignment files. In the StudentAssignmentSubmit and UploadAssignmentTeacherFile functions, filenames were created using a timestamp format that did not include microseconds, making them easy to guess or brute-force [1][3].
Exploitation
An attacker with network access to the RosarioSIS application could exploit this by enumerating possible filenames based on known patterns (e.g., course title and assignment ID). No authentication is required if the files are stored in a publicly accessible directory, allowing an attacker to download other students' submissions [3].
Impact
Successful exploitation enables an unauthorized actor to read sensitive information contained in student assignment files, such as personal details, grades, or other confidential data. This violates student privacy and could lead to further security incidents [1].
Mitigation
The issue was addressed in RosarioSIS version 10.8.2 by adding microseconds to the filename format, increasing entropy and making predictions impractical [3]. Users are strongly advised to upgrade to the latest version.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
francoisjacquet/rosariosisPackagist | < 10.8.2 | 10.8.2 |
Affected products
2- francoisjacquet/francoisjacquet/rosariosisv5Range: unspecified
Patches
1630d3e3d7827PHP<7 Fix add microseconds to filename to make it harder to predict
2 files changed · +6 −6
CHANGES.md+4 −0 modified@@ -1,6 +1,10 @@ # CHANGES ## RosarioSIS Student Information System +Changes in 10.8.2 +----------------- +- PHP<7 Fix add microseconds to filename to make it harder to predict in StudentAssignments.fnc.php, thanks to @jeffreygaor + Changes in 10.8.1 ----------------- - Use CheckBoxOnclick() in StudentBalances.php & Schedule.inc.php
modules/Grades/includes/StudentAssignments.fnc.php+2 −6 modified@@ -65,10 +65,8 @@ function StudentAssignmentSubmit( $assignment_id, &$error ) $files = issetVal( $old_data['files'] ); - $timestamp = new \DateTime(); - // @since 8.9.5 Add microseconds to filename format to make it harder to predict. - $timestamp = $timestamp->format( 'Y-m-d H:i:s.u' ); + $timestamp = date( 'Y-m-d His' ) . '.' . substr( (string) microtime(), 2, 6 ); $assignments_path = GetAssignmentsFilesPath( $assignment['STAFF_ID'] ); @@ -530,10 +528,8 @@ function UploadAssignmentTeacherFile( $assignment_id, $teacher_id, $file_input_i return ''; } - $microseconds = new \DateTime(); - // @since 9.0 Add microseconds to filename format to make it harder to predict. - $microseconds = $microseconds->format( 'u' ); + $microseconds = substr( (string) microtime(), 2, 6 ); // Filename = [course_title]_[assignment_ID].ext. $file_name_no_ext = no_accents( $assignment['COURSE_TITLE'] . '_' . $assignment_id . '.' . $microseconds );
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.