GHSA-36cm-h8gv-mg97
Suggest an improvement- Source
- https://github.com/advisories/GHSA-36cm-h8gv-mg97
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-36cm-h8gv-mg97/GHSA-36cm-h8gv-mg97.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-36cm-h8gv-mg97
- Aliases
- Published
- 2023-05-19T18:30:25Z
- Modified
- 2024-02-16T07:46:23.411209Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- RosarioSIS Stores Sensitive Data in a Mechanism without Access Control
- Details
-
RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the
salariesmodule. In addition, the file names contain a date in aYYYY-MM-DDformat and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess. - Database specific
{ "nvd_published_at": "2023-05-12T01:15:09Z", "cwe_ids": [ "CWE-921", "CWE-922" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-05-19T23:45:12Z" }- References
Affected packages
Packagist / francoisjacquet/rosariosis
Package
- Name
- francoisjacquet/rosariosis
- Purl
- pkg:composer/francoisjacquet/rosariosis
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed11.0
Affected versions
v5.*
v5.0-beta3
v5.0-beta4
v5.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.1-beta
v5.1
v5.1.1
v5.2-beta
v5.2
v5.3-beta
v5.3
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.4-beta
v5.4
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.4.5
v5.4.6
v5.4.7
v5.5-beta
v5.5-beta2
v5.5-beta3
v5.5
v5.5.1
v5.5.2
v5.5.3
v5.5.4
v5.6-beta
v5.6
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.7
v5.7.1
v5.7.2
v5.7.3
v5.7.4
v5.7.5
v5.7.6
v5.7.7
v5.8-beta
v5.8-beta2
v5.8-beta3
v5.8-beta4
v5.8-beta5
v5.8
v5.8.1
v5.9-beta2
v5.9-beta3
v5.9
v5.9.1
v5.9.2
v5.9.3
v5.9.4
v5.9.5
v5.9.6
v6.*
v6.0-beta
v6.0
v6.1
v6.2
v6.2.1
v6.2.2
v6.2.3
v6.3
v6.4
v6.4.1
v6.4.2
v6.5
v6.5.1
v6.5.2
v6.6
v6.6.1
v6.7
v6.7.1
v6.7.2
v6.8-beta
v6.8
v6.8.1
v6.9-beta
v6.9
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v7.*
v7.0-beta
v7.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.1
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.2
v7.2.1
v7.2.2
v7.2.3
v7.2.4
v7.3
v7.3.1
v7.4
v7.5
v7.6
v7.6.1
v7.7
v7.8
v7.8.1
v7.8.2
v7.8.3
v7.8.4
v7.9
v7.9.1
v7.9.2
v7.9.3
v8.*
v8.0
v8.0.1
v8.0.2
v8.0.3
v8.0.4
v8.1
v8.1.1
v8.2
v8.2.1
v8.3
v8.3.1
v8.4
v8.5
v8.5.1
v8.5.2
v8.6
v8.6.1
v8.7
v8.8
v8.9
v8.9.1
v8.9.2
v8.9.3
v8.9.4
v8.9.5
v8.9.6
v9.*
v9.0
v9.1
v9.1.1
v9.2.2
v9.3
v9.3.1
v9.3.2
v10.*
v10.1
v10.2
v10.2.1
v10.2.2
v10.2.3
v10.3
v10.3.1
v10.3.2
v10.3.3
v10.4
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.5
v10.5.1
v10.5.2
v10.6
v10.6.1
v10.6.2
v10.6.3
v10.7
v10.7.1
v10.8
v10.8.1
v10.8.2
v10.8.3
v10.8.4
v10.8.5
v10.9
v10.9.1
v10.9.2
v10.9.3
v10.9.4
v10.9.5
v10.9.6
v10.9.7
v10.9.8