Improper Access Control in francoisjacquet/rosariosis
Description
Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.9.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper access control in RosarioSIS prior to 10.9.3 allows attackers to bypass authentication via cached page loading.
Vulnerability
Overview
CVE-2023-2202 is an improper access control vulnerability in RosarioSIS, a student information system, affecting versions prior to 10.9.3. The issue stems from the application's handling of browser caching, where previously loaded pages remain accessible even after a user logs out. Specifically, the browser may load cached pages upon a full reload (F5) or when using the back button after logout, bypassing authentication checks [2][4].
Exploitation
Prerequisites
Exploitation does not require any special privileges; any user with access to the application can potentially exploit this flaw. The attack vector is local to the browser session: after a legitimate user logs out, an attacker (or the same user from a different session) could use the browser's back button or perform a full page reload (F5) to retrieve cached pages that should have been protected. This is a client-side caching issue that the server did not properly invalidate [4].
Impact
An attacker could gain unauthorized access to sensitive information displayed on previously cached pages, such as student records, grades, or administrative data. Although the attacker does not gain persistent access, the exposure of cached data can lead to privacy breaches and further attacks if the cached content includes session tokens or other credentials.
Mitigation
The vulnerability was addressed in RosarioSIS version 10.9.3, released on April 11, 2023. The fix involves adding cache-control headers and invalidating browser caches to prevent the retrieval of authenticated pages after logout [3][4]. Users are strongly advised to upgrade to version 10.9.3 or later. No workarounds have been documented, but configuring the web server to send appropriate cache-control headers may provide a partial mitigation.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
francoisjacquet/rosariosisPackagist | < 10.9.3 | 10.9.3 |
Affected products
2- francoisjacquet/francoisjacquet/rosariosisv5Range: unspecified
Patches
16433946abfb3Security Fix browser loading cached page when page full reload (F5) + logout + Back button
4 files changed · +25 −18
assets/js/plugins.min.js+2 −2 modifiedassets/js/plugins.min.js.map+1 −1 modifiedassets/js/warehouse.js+18 −14 modified@@ -497,27 +497,31 @@ var ajaxPopState = function() { * @link https://stackoverflow.com/questions/17432899/javascript-bfcache-pageshow-event-event-persisted-always-set-to-false * @link https://huntr.dev/bounties/efe6ef47-d17c-4773-933a-4836c32db85c/ */ -if (window.performance && (performance.navigation.type == 2 - || (performance.getEntriesByType - && performance.getEntriesByType("navigation")[0] - && performance.getEntriesByType("navigation")[0].type === 'back_forward'))) { - location.reload(); -} +function browserHistoryCacheBuster(event) { + if (location.href.indexOf('Modules.php?') === -1) { + // Current page is not Modules.php, no login required, skip. + return; + } -window.onpageshow=function(event) { - /** - * Same as above for Safari (does not execute Javascript on history back) - * persisted indicates if the document is loading from a cache (not reliable) - * - * @link https://web.dev/bfcache/ - */ - if (event.persisted + // persisted indicates if the document is loading from a cache (not reliable) + if ((event && event.persisted) || window.performance && (performance.navigation.type == 2 || (performance.getEntriesByType && performance.getEntriesByType("navigation")[0] && performance.getEntriesByType("navigation")[0].type === 'back_forward'))) { location.reload(); } +} + +browserHistoryCacheBuster(); + +/** + * onpageshow: Same as above for Safari (does not execute Javascript on history back) + * + * @link https://web.dev/bfcache/ + */ +window.onpageshow=function(event) { + browserHistoryCacheBuster(event); }; // onunload: Fix for Firefox to execute Javascript on history back.
CHANGES.md+4 −1 modified@@ -10,14 +10,17 @@ Changes in 11.0 - Translate "Zip" & "Zipcode" to "Zip Code" in GetStuList.fnc.php, MyReport.php, Registration.fnc.php, Schools.php & Address.inc.php - HTML Text input min size is 2 in Inputs.php +Changes in 10.9.3 +----------------- +- Security Fix browser loading cached page when page full reload (F5) + logout + Back button in warehouse.js, thanks to @b1tch3s + Changes in 10.9.2 ----------------- - Fix Format Contact Field value based on its Type in ViewContact.php - Fix regression add Contact Info columns to list in MyReport.php - ETag + Cache-Control header: use no-cache directive in Warehouse.php - Set `$_SESSION['is_secondary_teacher']` in SetUserCoursePeriod() in Current.php - Fix Set current User Course Period before Secondary Teacher logic in TakeAttendance.php, AnomalousGrades.php, Assignments.php, Grades.php, InputFinalGrades.php & ProgressReports.php -- Security Fix browser loading cached page when page full reload (F5) + logout + Back button in warehouse.js, thanks to @b1tch3s Changes in 10.9.1 -----------------
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-g66v-3v62-g375ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-2202ghsaADVISORY
- github.com/francoisjacquet/rosariosis/commit/6433946abfb34324616e833b1c00d0b2450753beghsaWEB
- github.com/francoisjacquet/rosariosis/compare/v10.9.2...v10.9.3ghsaWEB
- huntr.dev/bounties/efe6ef47-d17c-4773-933a-4836c32db85cghsaWEB
News mentions
0No linked articles in our index yet.