CVE-2023-2665 – francoisjacquet/rosariosis

Package

Manager: composer
Name: francoisjacquet/rosariosis
Vulnerable Version: >=0 <11.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00082 pctl0.24815

Details

RosarioSIS Stores Sensitive Data in a Mechanism without Access Control RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the `salaries` module. In addition, the file names contain a date in a `YYYY-MM-DD` format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.

Metadata

Created: 2023-05-19T18:30:25Z
Modified: 2023-05-19T23:45:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-36cm-h8gv-mg97/GHSA-36cm-h8gv-mg97.json
CWE IDs: ["CWE-921", "CWE-922"]
Alternative ID: GHSA-36cm-h8gv-mg97
Finding: F038
Auto approve: 1