CVE-2023-2665
PHP vulnerability analysis and mitigation

Overview

Storage of Sensitive Data in a Mechanism without Access Control was discovered in GitHub repository francoisjacquet/rosariosis prior to version 11.0. The vulnerability was disclosed on May 11, 2023, and was assigned CVE-2023-2665. The vulnerability affects the RosarioSIS software system (NVD, CVE).

Technical details

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, requires no user interaction, has unchanged scope, and can result in high confidentiality impact but no integrity or availability impact (NVD).

Impact

The vulnerability allows unauthorized access to sensitive data due to improper access control mechanisms. The high CVSS score particularly emphasizes the significant confidentiality impact, indicating that sensitive information could be exposed to unauthorized parties (NVD).

Mitigation and workarounds

The vulnerability has been patched in RosarioSIS version 11.0. Users should upgrade to this version or later to address the security issue. The fix includes adding microseconds to filename format to make it harder to predict, as implemented in various files including FileUpload.fnc.php, Accounting/functions.php, PortalNotes.php, and Student_Billing/functions.php (GitHub Patch).

Additional resources


SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management