VYPR
← All advisories
High severityNVD Advisory· Published May 12, 2023· Updated Jan 24, 2025

Storage of Sensitive Data in a Mechanism without Access Control in francoisjacquet/rosariosis

CVE-2023-2665

Description

Storage of Sensitive Data in a Mechanism without Access Control in GitHub repository francoisjacquet/rosariosis prior to 11.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

RosarioSIS before 11.0 stored uploaded files with predictable names, enabling attackers to access sensitive data without proper access control.

Vulnerability

Description

CVE-2023-2665 describes a weakness in the RosarioSIS student information system, versions prior to 11.0, where uploaded files (e.g., salaries, portal notes, accounting files) were stored using a filename pattern that included only the current date and time down to the second, such as Y-m-d_His [1][3]. This made the filenames predictable, effectively storing sensitive data in a mechanism without access control [2].

Exploitation

Scenario

An attacker who knows or can guess a school's naming convention or who observes a single uploaded file's name can easily predict future filenames. Because the storage location lacks proper access control verification, the attacker can directly request files by their predictable names without needing authentication [1][4]. No special network position or privilege is required beyond the ability to send HTTP requests to the vulnerable server.

Impact

Successful exploitation allows an unauthenticated attacker to download sensitive files uploaded by administrators or teachers, including salary records, billing data, and other confidential school documents. This constitutes a breach of confidentiality for the school's operational data and the personal information of staff and students.

Mitigation

The vulnerability was addressed in RosarioSIS version 11.0 by modifying the filename generation to include microseconds (e.g., Y-m-d_His.u), making filenames significantly harder to predict [3]. Users are strongly advised to update to version 11.0 or later. No workaround is available; upgrading is the only effective mitigation.

References
  1. GitHub - francoisjacquet/rosariosis: RosarioSIS Student Information System for school management.
  2. NVD - CVE-2023-2665
  3. Add microseconds to filename format to make it harder to predict · francoisjacquet/rosariosis@09d5afa
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
francoisjacquet/rosariosisPackagist
< 11.011.0

Affected products

2

Patches

1
09d5afaa6be0

Add microseconds to filename format to make it harder to predict

https://github.com/francoisjacquet/rosariosisFrançois JacquetApr 11, 2023via ghsa
commit
5 files changed · +20 4
  • CHANGES.md+1 0 modified
    @@ -10,6 +10,7 @@ Changes in 11.0
 - Translate "Zip" & "Zipcode" to "Zip Code" in GetStuList.fnc.php, MyReport.php, Registration.fnc.php, Schools.php & Address.inc.php
 - HTML Text input min size is 2 in Inputs.php
 - Skip School Period column if has no students scheduled for selected date in Administration.php
+- Add microseconds to filename format to make it harder to predict in FileUpload.fnc.php, Accounting/functions.php, PortalNotes.php & Student_Billing/functions.php
 
 Changes in 10.9.3
 -----------------
  • modules/Accounting/functions.inc.php+2 1 modified
    @@ -351,7 +351,8 @@ function _saveSalariesFile( $id )
 		mb_strrpos( $_FILES[ $input ]['name'], '.' )
 	) );
 
-	$file_name_no_ext .= '_' . date( 'Y-m-d_His' );
+	// @since 11.0 Add microseconds to filename format to make it harder to predict.
+	$file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 );
 
 	$file_attached = FileUpload(
 		$input,
  • modules/School_Setup/PortalNotes.php+13 1 modified
    @@ -127,12 +127,24 @@
 
 				if ( isset( $_FILES['FILE_ATTACHED_FILE'] ) )
 				{
+					$file_name_no_ext = no_accents( mb_substr(
+						$_FILES['FILE_ATTACHED_FILE']['name'],
+						0,
+						mb_strrpos( $_FILES['FILE_ATTACHED_FILE']['name'], '.' )
+					) );
+
+					// @since 11.0 Add microseconds to filename format to make it harder to predict.
+					$file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 );
+
+					// File attached to portal notes
 					$columns['FILE_ATTACHED'] = FileUpload(
 						'FILE_ATTACHED_FILE',
 						$PortalNotesFilesPath,
 						FileExtensionWhiteList(),
 						0,
-						$error
+						$error,
+						'',
+						$file_name_no_ext
 					);
 
 					// @since 6.8 Fix SQL error when quote in uploaded file name.
  • modules/Student_Billing/functions.inc.php+2 1 modified
    @@ -429,7 +429,8 @@ function _saveFeesFile( $id )
 		mb_strrpos( $_FILES[ $input ]['name'], '.' )
 	) );
 
-	$file_name_no_ext .= '_' . date( 'Y-m-d_His' );
+	// @since 11.0 Add microseconds to filename format to make it harder to predict.
+	$file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 );
 
 	$file_attached = FileUpload(
 		$input,
  • ProgramFunctions/FileUpload.fnc.php+2 1 modified
    @@ -408,7 +408,8 @@ function FilesUploadUpdate( $table, $request, $path, $id = 0 )
 			mb_strrpos( $_FILES[ $input ]['name'], '.' )
 		) );
 
-		$file_name_no_ext .= '_' . date( 'Y-m-d_His' );
+		// @since 11.0 Add microseconds to filename format to make it harder to predict.
+		$file_name_no_ext .= '_' . date( 'Y-m-d_His' ) . '.' . substr( (string) microtime(), 2, 6 );
 
 		$new_file = FileUpload(
 			$input,

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.