Описание
RosarioSIS Stores Sensitive Data in a Mechanism without Access Control
RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the salaries module. In addition, the file names contain a date in a YYYY-MM-DD format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.
Пакеты
Наименование
francoisjacquet/rosariosis
composer
Затронутые версииВерсия исправления
< 11.0
11.0
Связанные уязвимости
CVSS3: 7.5
nvd
больше 2 лет назад
Storage of Sensitive Data in a Mechanism without Access Control in GitHub repository francoisjacquet/rosariosis prior to 11.0.