CVE-2023-2665 — RosarioSIS Stores Sensitive Data in a Mechanism without Access Control

Description

RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the `salaries` module. In addition, the file names contain a date in a `YYYY-MM-DD` format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.

How to fix CVE-2023-2665

To remediate CVE-2023-2665, upgrade the affected package to a fixed version below.

—upgrade to 11.0 or later

Is CVE-2023-2665 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 11.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-2665
PATCHgithub.com/francoisjacquet/rosariosis
WEBgithub.com/francoisjacquet/rosariosis/commit/09d5afaa6be07688ca1a7ac3b755b5438109e986
WEBhuntr.dev/bounties/42f38a84-8954-484d-b5ff-706ca0918194