Headline
CVE-2021-44566: Stored XSS Vulnerability (#259) · Issues · François Jacquet / rosariosis
A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before 4.3 via the SanitizeMarkDown function in ProgramFunctions/MarkDownHTML.fnc.php.
Hi @francoisjacquet
I believe to have found a Stored XSS Vulnerability in RosarioSIS. I decided not to go into any specifics here (yet). I would appreciate it if you could get back to me with your preferred way of talking about this, because I couldn’t find any information on how to talk about security related issues.
For completeness’ sake:
- The RosarioSIS version is the latest one (commit 6549919d)
- PHP version: 7.2.13
- PostgreSQL version: 10.6
- Server: Apache 2.4.29 (Ubuntu)
- Browser: Mozilla Firefox 64.0 (Ubuntu)
Regards
To upload designs, you’ll need to enable LFS and have an admin enable hashed storage. More information