GHSA-36cm-h8gv-mg97

Suggest an improvement
Source
https://github.com/advisories/GHSA-36cm-h8gv-mg97
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-36cm-h8gv-mg97/GHSA-36cm-h8gv-mg97.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-36cm-h8gv-mg97
Aliases
Published
2023-05-19T18:30:25Z
Modified
2024-02-16T07:46:23.411209Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
RosarioSIS Stores Sensitive Data in a Mechanism without Access Control
Details

RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the salaries module. In addition, the file names contain a date in a YYYY-MM-DD format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.

References

Affected packages

Packagist / francoisjacquet/rosariosis

Package

Name
francoisjacquet/rosariosis
Purl
pkg:composer/francoisjacquet/rosariosis

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
11.0

Affected versions

v5.*

v5.0-beta3
v5.0-beta4
v5.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.1-beta
v5.1
v5.1.1
v5.2-beta
v5.2
v5.3-beta
v5.3
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.4-beta
v5.4
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.4.5
v5.4.6
v5.4.7
v5.5-beta
v5.5-beta2
v5.5-beta3
v5.5
v5.5.1
v5.5.2
v5.5.3
v5.5.4
v5.6-beta
v5.6
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.7
v5.7.1
v5.7.2
v5.7.3
v5.7.4
v5.7.5
v5.7.6
v5.7.7
v5.8-beta
v5.8-beta2
v5.8-beta3
v5.8-beta4
v5.8-beta5
v5.8
v5.8.1
v5.9-beta2
v5.9-beta3
v5.9
v5.9.1
v5.9.2
v5.9.3
v5.9.4
v5.9.5
v5.9.6

v6.*

v6.0-beta
v6.0
v6.1
v6.2
v6.2.1
v6.2.2
v6.2.3
v6.3
v6.4
v6.4.1
v6.4.2
v6.5
v6.5.1
v6.5.2
v6.6
v6.6.1
v6.7
v6.7.1
v6.7.2
v6.8-beta
v6.8
v6.8.1
v6.9-beta
v6.9
v6.9.1
v6.9.2
v6.9.3
v6.9.4

v7.*

v7.0-beta
v7.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.1
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.2
v7.2.1
v7.2.2
v7.2.3
v7.2.4
v7.3
v7.3.1
v7.4
v7.5
v7.6
v7.6.1
v7.7
v7.8
v7.8.1
v7.8.2
v7.8.3
v7.8.4
v7.9
v7.9.1
v7.9.2
v7.9.3

v8.*

v8.0
v8.0.1
v8.0.2
v8.0.3
v8.0.4
v8.1
v8.1.1
v8.2
v8.2.1
v8.3
v8.3.1
v8.4
v8.5
v8.5.1
v8.5.2
v8.6
v8.6.1
v8.7
v8.8
v8.9
v8.9.1
v8.9.2
v8.9.3
v8.9.4
v8.9.5
v8.9.6

v9.*

v9.0
v9.1
v9.1.1
v9.2.2
v9.3
v9.3.1
v9.3.2

v10.*

v10.1
v10.2
v10.2.1
v10.2.2
v10.2.3
v10.3
v10.3.1
v10.3.2
v10.3.3
v10.4
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.5
v10.5.1
v10.5.2
v10.6
v10.6.1
v10.6.2
v10.6.3
v10.7
v10.7.1
v10.8
v10.8.1
v10.8.2
v10.8.3
v10.8.4
v10.8.5
v10.9
v10.9.1
v10.9.2
v10.9.3
v10.9.4
v10.9.5
v10.9.6
v10.9.7
v10.9.8