RosarioSIS improper access control vulnerability

2023-04-2103:30:36

Google

osv.dev

improper access control

information security

vulnerability

personally identifiable information

sensitive information

browser's back button

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

35.4%

JSON

RosarioSIS prior to version 10.9.3 has a vulnerability that allows a user to return to a page containing personally identifiable information (PII) and sensitive information even after logging out of the application by using the browser’s back button.

CPENameOperatorVersion
francoisjacquet/rosariosiseq7.0
francoisjacquet/rosariosiseq6.0-beta
francoisjacquet/rosariosiseq5.8-beta3
francoisjacquet/rosariosiseq7.1
francoisjacquet/rosariosiseq7.9.2
francoisjacquet/rosariosiseq5.5.1
francoisjacquet/rosariosiseq6.4.2
francoisjacquet/rosariosiseq5.4.5
francoisjacquet/rosariosiseq6.7.1
francoisjacquet/rosariosiseq5.4.6

Name	Operator	Version
francoisjacquet/rosariosis	eq	7.0
francoisjacquet/rosariosis	eq	6.0-beta
francoisjacquet/rosariosis	eq	5.8-beta3
francoisjacquet/rosariosis	eq	7.1
francoisjacquet/rosariosis	eq	7.9.2
francoisjacquet/rosariosis	eq	5.5.1
francoisjacquet/rosariosis	eq	6.4.2
francoisjacquet/rosariosis	eq	5.4.5
francoisjacquet/rosariosis	eq	6.7.1
francoisjacquet/rosariosis	eq	5.4.6