cvelistv5 - CVE-2020-15716

CVE-2020-15716 (GCVE-0-2020-15716)

Vulnerability from cvelistv5 – Published: 2020-07-15 19:00 – Updated: 2025-04-16 14:31

Summary

RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://exchange.xforce.ibmcloud.com/vulnerabilit…
	https://gitlab.com/francoisjacquet/rosariosis/-/b…
	https://gitlab.com/francoisjacquet/rosariosis/-/i…
	https://gitlab.com/francoisjacquet/rosariosis/-/t…
	https://gitlab.com/francoisjacquet/rosariosis/-/c…
	https://github.com/MarkLee131/awesome-web-pocs/bl…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:22:30.704Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184942"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/francoisjacquet/rosariosis/-/issues/291"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-16T14:31:56.472Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184942"
        },
        {
          "url": "https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md"
        },
        {
          "url": "https://gitlab.com/francoisjacquet/rosariosis/-/issues/291"
        },
        {
          "url": "https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta"
        },
        {
          "url": "https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a"
        },
        {
          "url": "https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2020-15716.md"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-15716",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184942",
              "refsource": "MISC",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184942"
            },
            {
              "name": "https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md",
              "refsource": "MISC",
              "url": "https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md"
            },
            {
              "name": "https://gitlab.com/francoisjacquet/rosariosis/-/issues/291",
              "refsource": "MISC",
              "url": "https://gitlab.com/francoisjacquet/rosariosis/-/issues/291"
            },
            {
              "name": "https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta",
              "refsource": "MISC",
              "url": "https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta"
            },
            {
              "name": "https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a",
              "refsource": "CONFIRM",
              "url": "https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-15716",
    "datePublished": "2020-07-15T19:00:44.000Z",
    "dateReserved": "2020-07-14T00:00:00.000Z",
    "dateUpdated": "2025-04-16T14:31:56.472Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rosariosis:rosariosis:6.7.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4A870F8E-3082-421C-A701-75D43DD6276C\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL.\"}, {\"lang\": \"es\", \"value\": \"RosarioSIS versi\\u00f3n 6.7.2, es vulnerable a un ataque de tipo XSS, causado por una comprobaci\\u00f3n inapropiada de la entrada suministrada por el usuario mediante el script Preferences.php. Un atacante remoto podr\\u00eda explotar esta vulnerabilidad usando el par\\u00e1metro tab en una URL dise\\u00f1ada\"}]",
      "id": "CVE-2020-15716",
      "lastModified": "2024-11-21T05:06:05.440",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-07-15T19:15:12.163",
      "references": "[{\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/184942\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md\", \"source\": \"cve@mitre.org\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://gitlab.com/francoisjacquet/rosariosis/-/issues/291\", \"source\": \"cve@mitre.org\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/184942\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://gitlab.com/francoisjacquet/rosariosis/-/issues/291\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-15716\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2020-07-15T19:15:12.163\",\"lastModified\":\"2025-04-16T15:15:45.380\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL.\"},{\"lang\":\"es\",\"value\":\"RosarioSIS versi\u00f3n 6.7.2, es vulnerable a un ataque de tipo XSS, causado por una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario mediante el script Preferences.php. Un atacante remoto podr\u00eda explotar esta vulnerabilidad usando el par\u00e1metro tab en una URL dise\u00f1ada\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rosariosis:rosariosis:6.7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A870F8E-3082-421C-A701-75D43DD6276C\"}]}]}],\"references\":[{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/184942\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2020-15716.md\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://gitlab.com/francoisjacquet/rosariosis/-/issues/291\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/184942\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://gitlab.com/francoisjacquet/rosariosis/-/issues/291\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

GHSA-WC7J-RV6H-GCX6

Vulnerability from github – Published: 2022-05-24 17:23 – Updated: 2025-04-16 15:34

Details

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-15716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL.",
  "id": "GHSA-wc7j-rv6h-gcx6",
  "modified": "2025-04-16T15:34:02Z",
  "published": "2022-05-24T17:23:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15716"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184942"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2020-15716.md"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/issues/291"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2020-15716

Vulnerability from fkie_nvd - Published: 2020-07-15 19:15 - Updated: 2025-04-16 15:15

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/184942	Third Party Advisory, VDB Entry
cve@mitre.org	https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2020-15716.md
cve@mitre.org	https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md	Release Notes, Third Party Advisory
cve@mitre.org	https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a	Patch, Third Party Advisory
cve@mitre.org	https://gitlab.com/francoisjacquet/rosariosis/-/issues/291	Broken Link
cve@mitre.org	https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/184942	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://gitlab.com/francoisjacquet/rosariosis/-/issues/291	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta	Third Party Advisory

Impacted products

	Vendor	Product	Version
	rosariosis	rosariosis	6.7.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rosariosis:rosariosis:6.7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A870F8E-3082-421C-A701-75D43DD6276C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL."
    },
    {
      "lang": "es",
      "value": "RosarioSIS versi\u00f3n 6.7.2, es vulnerable a un ataque de tipo XSS, causado por una comprobaci\u00f3n inapropiada de la entrada suministrada por el usuario mediante el script Preferences.php. Un atacante remoto podr\u00eda explotar esta vulnerabilidad usando el par\u00e1metro tab en una URL dise\u00f1ada"
    }
  ],
  "id": "CVE-2020-15716",
  "lastModified": "2025-04-16T15:15:45.380",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-15T19:15:12.163",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184942"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/MarkLee131/awesome-web-pocs/blob/main/CVE-2020-15716.md"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Broken Link"
      ],
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/issues/291"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184942"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/issues/291"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2020-15716

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-15716

Aliases

CVE-2020-15716

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-15716",
    "description": "RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL.",
    "id": "GSD-2020-15716"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-15716"
      ],
      "details": "RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL.",
      "id": "GSD-2020-15716",
      "modified": "2023-12-13T01:21:43.312104Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2020-15716",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184942",
            "refsource": "MISC",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184942"
          },
          {
            "name": "https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md",
            "refsource": "MISC",
            "url": "https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md"
          },
          {
            "name": "https://gitlab.com/francoisjacquet/rosariosis/-/issues/291",
            "refsource": "MISC",
            "url": "https://gitlab.com/francoisjacquet/rosariosis/-/issues/291"
          },
          {
            "name": "https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta",
            "refsource": "MISC",
            "url": "https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta"
          },
          {
            "name": "https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a",
            "refsource": "CONFIRM",
            "url": "https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rosariosis:rosariosis:6.7.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-15716"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "RosarioSIS 6.7.2 is vulnerable to XSS, caused by improper validation of user-supplied input by the Preferences.php script. A remote attacker could exploit this vulnerability using the tab parameter in a crafted URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://gitlab.com/francoisjacquet/rosariosis/-/blob/mobile/CHANGES.md"
            },
            {
              "name": "https://gitlab.com/francoisjacquet/rosariosis/-/issues/291",
              "refsource": "MISC",
              "tags": [
                "Broken Link"
              ],
              "url": "https://gitlab.com/francoisjacquet/rosariosis/-/issues/291"
            },
            {
              "name": "https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a"
            },
            {
              "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184942",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184942"
            },
            {
              "name": "https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://gitlab.com/francoisjacquet/rosariosis/-/tags/v6.8-beta"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2020-07-22T16:59Z",
      "publishedDate": "2020-07-15T19:15Z"
    }
  }
}

CNVD-2020-42950

Vulnerability from cnvd - Published: 2020-07-29

Title

RosarioSIS跨站脚本漏洞（CNVD-2020-42950）

Description

RosarioSIS是一款用于学校管理的学生信息系统。 RosarioSIS 6.7.2存在跨站脚本漏洞。该漏洞源于Preferences.php脚本对用户提供的输入验证不当。远程攻击者可通过tab参数利用该漏洞在宿主网站的安全上下文内的受害者的Web浏览器中执行脚本。

Severity

低

Patch Name

RosarioSIS跨站脚本漏洞（CNVD-2020-42950）的补丁

Patch Description

RosarioSIS是一款用于学校管理的学生信息系统。 RosarioSIS 6.7.2存在跨站脚本漏洞。该漏洞源于Preferences.php脚本对用户提供的输入验证不当。远程攻击者可通过tab参数利用该漏洞在宿主网站的安全上下文内的受害者的Web浏览器中执行脚本。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-15716

Impacted products

Name
RosarioSIS RosarioSIS 6.7.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-15716",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-15716"
    }
  },
  "description": "RosarioSIS\u662f\u4e00\u6b3e\u7528\u4e8e\u5b66\u6821\u7ba1\u7406\u7684\u5b66\u751f\u4fe1\u606f\u7cfb\u7edf\u3002\n\nRosarioSIS 6.7.2\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8ePreferences.php\u811a\u672c\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u9a8c\u8bc1\u4e0d\u5f53\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7tab\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5bbf\u4e3b\u7f51\u7ad9\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u5185\u7684\u53d7\u5bb3\u8005\u7684Web\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u811a\u672c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://gitlab.com/francoisjacquet/rosariosis/-/commit/89ae9de732024e3a2e99262aa98b400a1aa6975a",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-42950",
  "openTime": "2020-07-29",
  "patchDescription": "RosarioSIS\u662f\u4e00\u6b3e\u7528\u4e8e\u5b66\u6821\u7ba1\u7406\u7684\u5b66\u751f\u4fe1\u606f\u7cfb\u7edf\u3002\r\n\r\nRosarioSIS 6.7.2\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8ePreferences.php\u811a\u672c\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u8f93\u5165\u9a8c\u8bc1\u4e0d\u5f53\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7tab\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u5bbf\u4e3b\u7f51\u7ad9\u7684\u5b89\u5168\u4e0a\u4e0b\u6587\u5185\u7684\u53d7\u5bb3\u8005\u7684Web\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u811a\u672c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "RosarioSIS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-42950\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "RosarioSIS RosarioSIS 6.7.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-15716",
  "serverity": "\u4f4e",
  "submitTime": "2020-07-27",
  "title": "RosarioSIS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-42950\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-15716 (GCVE-0-2020-15716)

GHSA-WC7J-RV6H-GCX6

FKIE_CVE-2020-15716

GSD-2020-15716

CNVD-2020-42950

Tags

Sightings

Nomenclature