Security
Headlines

Headlines Latest CVEs

Headline

GHSA-36cm-h8gv-mg97: RosarioSIS Stores Sensitive Data in a Mechanism without Access Control

RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the salaries module. In addition, the file names contain a date in a YYYY-MM-DD format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.

1 year ago

#ios #git #auth

GitHub Advisory Database
GitHub Reviewed
CVE-2023-2665

RosarioSIS Stores Sensitive Data in a Mechanism without Access Control

High severity GitHub Reviewed Published May 19, 2023 to the GitHub Advisory Database • Updated May 19, 2023

Package

composer francoisjacquet/rosariosis (Composer)

Published to the GitHub Advisory Database

May 19, 2023

Last updated

May 19, 2023

Related news

CVE-2023-2665: huntr – Security Bounties for any GitHub repository

Storage of Sensitive Data in a Mechanism without Access Control in GitHub repository francoisjacquet/rosariosis prior to 11.0.

1 year ago

ghsa: Latest News

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation

2 days ago

GHSA-vprm-27pv-jp3w: Vaultwarden authenticated reflected cross-site scripting (XSS) vulnerability

2 days ago

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability

2 days ago

GHSA-5xh2-23cc-5jc6: Strawberry GraphQL has type resolution vulnerability in node interface that allows potential data leakage through incorrect type resolution

2 days ago

GHSA-675f-rq2r-jw82: JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh

2 days ago