Lucene search

GitHub Advisory DatabaseGHSA-G66V-3V62-G375

HistoryApr 21, 2023 - 3:30 a.m.

RosarioSIS improper access control vulnerability

2023-04-2103:30:36

CWE-284

GitHub Advisory Database

github.com

rosariosis

access control

vulnerability

version 10.9.3

personally identifiable information

sensitive information

logging out

browser's back button

software

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

35.4%

JSON

RosarioSIS prior to version 10.9.3 has a vulnerability that allows a user to return to a page containing personally identifiable information (PII) and sensitive information even after logging out of the application by using the browser’s back button.

Affected configurations

Vulners

Node

francoisjacquetrosariosisRange<10.9.3

CPENameOperatorVersion
francoisjacquet/rosariosislt10.9.3

CPE	Name	Operator	Version
	francoisjacquet/rosariosis	lt	10.9.3

References

github.com/advisories/GHSA-g66v-3v62-g375

github.com/francoisjacquet/rosariosis/commit/6433946abfb34324616e833b1c00d0b2450753be

github.com/francoisjacquet/rosariosis/compare/v10.9.2...v10.9.3

huntr.dev/bounties/efe6ef47-d17c-4773-933a-4836c32db85c

nvd.nist.gov/vuln/detail/CVE-2023-2202

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

35.4%

JSON

Related for GHSA-G66V-3V62-G375