Exposure of Sensitive Information to an Unauthorized Actor in francoisjacquet/rosariosis


Reported on

Apr 29th 2022


Attacker can be able to download file from system.

Proof of Concept

1.Login as student - > Go to GRADES -> Assignments -> Submit a file to a random assignment -> save.

2.Attacker (with or without account) can be able to download through this URL https://www.rosariosis.org/demonstration/assets/AssignmentsFiles/2021/Quarter7/Teacher2/mathematics%206_1_student%20s%20student_2022-04-29%2003_50_45.zip.

3.The name of a file will be created with format {COURSE_TITLE}_{student_name}_{timestamp}_.{file_ext} -> Easy to bruteforce.

Way to fix

  • There are two ways to fix this issue:
  • Change name format to harder way to predict.

  • Require permission in download file function.


This vulnerability is capable of Exposure of Sensitive Information to an Unauthorized Actor

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back 2 years ago
François Jacquet validated this vulnerability 2 years ago
dungtuanha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 8.9.5 with commit d6e4da 2 years ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation