Low severity3.5NVD Advisory· Published Apr 1, 2024· Updated Apr 15, 2026

CVE-2024-3138

Description

DISPUTED A vulnerability was found in francoisjacquet RosarioSIS 11.5.1. It has been rated as problematic. This issue affects some unknown processing of the component Add Portal Note. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The associated identifier of this vulnerability is VDB-258911. NOTE: The vendor explains that the PDF is opened by the browser app in a sandbox, so no data from the website should be accessible.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Disputed XSS vulnerability in RosarioSIS 11.5.1 Add Portal Note allows remote attacks; vendor claims PDF sandbox mitigates risk.

Vulnerability

Description A disputed cross-site scripting (XSS) vulnerability exists in RosarioSIS 11.5.1, specifically in the Add Portal Note component. The issue allows manipulation leading to XSS, though the vendor argues that PDFs generated are opened in a browser sandbox, preventing access to website data [1].

Exploitation

The attack can be initiated remotely, but it requires user interaction to trigger the malicious script. No authentication is mentioned as necessary, but typical XSS exploits rely on an authenticated user viewing the crafted note [1].

Impact

The CVSS v3 base score is 3.5 (Low), reflecting the disputed nature and the vendor's claim that data exposure is limited due to sandboxing. If the vendor's assertion is incorrect, an attacker could potentially execute scripts in the context of the user's session, though the official dispute suggests limited practical impact [1].

Mitigation

As of the publication date, no patch has been released. The vendor disputes the vulnerability, so users should monitor for updates or implement additional input sanitization. Given the low severity and dispute, the risk may be acceptable for many deployments [1][2].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
francoisjacquet/rosariosisPackagist	<= 11.5.1	—

Affected products

Francoisjacquet/Rosariosisinferred
Range: = 11.5.1
ghsa-coords
pkg:composer/francoisjacquet/rosariosis
Range: <= 11.5.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-r32g-w9cv-9fgcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-3138ghsaADVISORY
powerful-bulb-c36.notion.site/Stored-xss-via-malicious-PDF-upload-98fb1ea6b9bf4ddfaf04d61b2c05410anvdWEB
vuldb.comnvdWEB
vuldb.comnvdWEB
vuldb.comnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.227
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000