Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2021-45416 PoC — RosarioSis 跨站脚本漏洞

Source
https://github.com/86x/CVE-2021-45416
Associated Vulnerability
Title:RosarioSis 跨站脚本漏洞 (CVE-2021-45416)
Description:Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script.
Description
Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script.
Readme
# CVE-2021-45416
Reflected Cross-site scripting (XSS) vulnerability in RosarioSIS 8.2.1 allows attackers to inject arbitrary HTML via the search_term parameter in the modules/Scheduling/Courses.php script.

- Vendor: francoisjacquet
- Vendor Website: https://www.rosariosis.org/
- Affected Product: RosarioSIS
- Affected Versions: v8.2.1, however it is _assumed_ earlier versions might be affected as well

---

### Instructions to reproduce: 
- Use RosarioSIS 8.2.1.
- Open the URL vulnerable to XSS: http://localhost/rosariosis/Modules.php?modname=misc/ChooseCourse.php&modfunc=choose_course&course_modfunc=search&last_year=&search_term=%22%20onfocus%3D%22alert%28%60XSS%60%29 (make sure to replace localhost/rosariosis with your web server's path)
- **Note that this website needs to be opened in a popup, for example using the javascript window.open() method. A proof of concept code is available in this repo.**

### Cause
User-supplied input in the search_term parameter is improperly neutralized in the modules/Scheduling/Courses.php script, which is accessible through ChooseCourse.php and ChooseRequest.php as shown in the proof of concept that you can find in this repo.

### Solution
Update to the latest version of RosarioSIS. This issue was fixed in version v8.3.

### References 
- YouTube video showing the proof of concept: https://www.youtube.com/watch?v=PvFUxSGpWpY
- Commit containing the fix: https://gitlab.com/francoisjacquet/rosariosis/-/commit/aec018065ca12ecef03ee454a8112f992ea35315
- Changelog for version v8.3: https://gitlab.com/francoisjacquet/rosariosis/blob/mobile/CHANGES.md#changes-in-83

---

#### History (in the format dd.mm.yyyy)
- 01.02.2022 - CVE published by MITRE
- 27.01.2022 - CVE was assigned and marked as reserved
- 17.12.2021 - Requested CVE through MITRE webform
- 22.10.2021 - Vendor released new version containing the fix (v8.3)
- 20.10.2021 - Received reply from vendor, along with a link to a new commit fixing the issue and the announcement that a new release containing the fix will follow in the same week. Vendor asked me to wait two months after that release before public disclosure.
- 20.10.2021 - Initial report to vendor
- 20.10.2021 - Finding of vulnerability
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →