CVE-2022-2036: 
PHP vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was identified in the GitHub repository francoisjacquet/rosariosis versions prior to 9.0.1. The vulnerability was discovered and disclosed on June 9, 2022, affecting the RosarioSIS Student Information System (CVE Details, MITRE CVE).

The vulnerability is classified as a stored XSS issue related to HTML entity decoding from URLs. The CVSS v3.1 base score is 5.4 (Medium), with an impact score of 2.7 and exploitability score of 2.3. The attack vector is Network-based, requires low privileges and user interaction, with a changed scope affecting confidentiality and integrity at low levels (AttackerKB).

The vulnerability could allow attackers to execute malicious scripts in the context of other users' browsers, potentially leading to theft of sensitive information, session hijacking, or other client-side attacks. The impact is characterized by low confidentiality and integrity breaches, with no effect on availability (AttackerKB).

The vulnerability has been patched in version 9.0.1 of RosarioSIS. The fix involves properly decoding HTML entities from URLs using the ENTQUOTES and ENTHTML5 flags in the htmlentitydecode function (GitHub Commit).