CVE-2021-45416: 
PHP vulnerability analysis and mitigation

A reflected Cross-site scripting (XSS) vulnerability was discovered in RosarioSIS version 8.2.1, identified as CVE-2021-45416. The vulnerability allows attackers to inject arbitrary HTML through the search_term parameter in the modules/Scheduling/Courses.php script. The issue was discovered on October 20, 2021, and was fixed in version 8.3 released on October 22, 2021. The vulnerability affects RosarioSIS version 8.2.1 and potentially earlier versions (GitHub Exploit).

The vulnerability exists due to improper neutralization of user input in the search_term parameter within the modules/Scheduling/Courses.php script, which is accessible through ChooseCourse.php and ChooseRequest.php. The CVSS v3.1 base score is 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires user interaction and can be exploited through a popup window using JavaScript's window.open() method (NVD Database).

If successfully exploited, this XSS vulnerability allows attackers to inject and execute arbitrary HTML code in the context of the user's browser session. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the authenticated user (GitHub Exploit).

The recommended mitigation is to upgrade to RosarioSIS version 8.3 or later, which contains the fix for this vulnerability. The fix was implemented through a security patch released on October 22, 2021. The vendor addressed the issue by properly sanitizing the search_term parameter input (GitHub Exploit, Vendor Advisory).