Version 6.7.2 RosarioSIS contains a cross-site scripting (XSS) security flaw found in the scheduling module. This vulnerability allows an attacker to inject code via a URL parameter that fails to be appropriately cleaned before presenting it in the user's browser.
A malicious attacker can exploit this vulnerability by submitting a specially formatted request as an authenticated user such as an administrator. Once the specially formatted request has been processed, the malicious code is executed in the user's session, allowing an attacker to run arbitrary code.
CVE-2020-15718 is the CVE tracking number assigned to this security issue.
Impacted Component
This vulnerability can be found in
Modules.php?modname=Scheduling/PrintSchedules.php
The include_inactive parameter returned to the end-user's browser contains insufficient input validation.
Proof of Concept
http://rosariosis/Modules.php?modname=Scheduling/PrintSchedules.php&
search_modfunc=list&
include_inactive=" onmouseover="alert(1)"
When this URL is accessed by a logged-in admin user, the injected JavaScript executes when the affected element is interacted with.
To recreate the exploit:
1. Log into RosarioSIS as an Admin User
2. Send the request you created in step 1
3. Perform actions on the page returned from step 2
4. Look for any JavaScript code that has been executed.
If the exploit is successful it can allow an attacker to:
1. Take over active authenticated sessions
2. Execute operations as an administrator
3. Include/edit malicious code within secure or trusted websites.
Although it requires authentication, this can still be highly damaging in a multi-user or shared administrative environment.
Source : Exploit DB
