CVE-2021-44427 – francoisjacquet/rosariosis

Package

Manager: composer
Name: francoisjacquet/rosariosis
Vulnerable Version: >=0 <8.1.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.85981 pctl0.99348

Details

SQL Injection in rosariosis An unauthenticated SQL Injection vulnerability in Rosario Student Information System (aka rosariosis) before 8.1.1 allows remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.

Metadata

Created: 2021-12-02T17:48:53Z
Modified: 2021-12-01T21:03:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wf5p-f5xr-c4jj/GHSA-wf5p-f5xr-c4jj.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-wf5p-f5xr-c4jj
Finding: F297
Auto approve: 1