CVE-2021-44427: 
PHP vulnerability analysis and mitigation

An unauthenticated SQL Injection vulnerability was discovered in Rosario Student Information System (rosariosis) versions before 8.1.1. The vulnerability was disclosed on November 29, 2021, and allows remote attackers to execute PostgreSQL statements (including SELECT, INSERT, UPDATE, and DELETE operations) through the /Side.php endpoint via the syear parameter (NVD, GitLab Issue).

The vulnerability stems from two primary issues: broken access control and SQL injection. The affected component lacks proper session management checks and input validation in multiple files including /Side.php, /Warehouse.php, /functions/Current.php, and /functions/GetMP.php. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitLab Issue).

The vulnerability allows attackers to execute arbitrary PostgreSQL statements, potentially leading to unauthorized access, modification, or deletion of database contents. The CVSS scoring indicates high impact on confidentiality, integrity, and availability of the system (NVD).

The vulnerability was fixed in version 8.1.1. Recommended security measures include implementing proper session management, validating user input, using parameterized queries, and applying input filtering for dangerous characters. Additionally, implementing proper access controls and authentication checks is crucial (GitLab Issue).