Miggo Logo

CVE-2022-1997: Cross-site Scripting in RosarioSIS

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.52288%
Published
6/9/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
francoisjacquet/rosariosiscomposer< 9.09.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows a critical change from strpos to stripos in URL sanitization logic. The original case-sensitive check failed to remove JavaScript handlers with non-lowercase characters, enabling stored XSS via crafted URLs. This function is directly responsible for neutralizing dangerous patterns in PHP_SELF values used during page generation, making it the root cause of improper input sanitization (CWE-79).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in *it*u* r*pository *r*n*oisj**qu*t/ros*riosis prior to *.*.

Reasoning

T** *ommit *i** s*ows * *riti**l ***n** *rom `strpos` to `stripos` in URL s*nitiz*tion lo*i*. T** ori*in*l **s*-s*nsitiv* ****k **il** to r*mov* J*v*S*ript **n*l*rs wit* non-low*r**s* ***r**t*rs, *n**lin* stor** XSS vi* *r**t** URLs. T*is `*un*tion`