Total
79 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-22923 | 1 Os4ed | 1 Opensis | 2025-07-17 | N/A | 8.8 HIGH |
| An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and delete files by sending a crafted POST request to /Modules.php?modname=users/Staff.php&removefile. | |||||
| CVE-2025-22927 | 1 Os4ed | 1 Opensis | 2025-07-17 | N/A | 9.1 CRITICAL |
| An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename. | |||||
| CVE-2025-22931 | 1 Os4ed | 1 Opensis | 2025-07-17 | N/A | 7.5 HIGH |
| An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members. | |||||
| CVE-2025-26186 | 1 Os4ed | 1 Opensis | 2025-07-17 | N/A | 8.1 HIGH |
| SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php | |||||
| CVE-2024-46626 | 1 Os4ed | 1 Opensis | 2025-07-17 | N/A | 8.8 HIGH |
| OS4ED openSIS-Classic v9.1 was discovered to contain a SQL injection vulnerability via a crafted payload. | |||||
| CVE-2024-35584 | 1 Os4ed | 1 Opensis | 2025-07-17 | N/A | 8.8 HIGH |
| SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the lack to sanitisation. The application takes arbitrary value from "X-Forwarded-For" header and appends it to a SQL INSERT statement directly, leading to SQL Injection. | |||||
| CVE-2024-51211 | 1 Os4ed | 1 Opensis | 2025-07-17 | N/A | 9.8 CRITICAL |
| SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be manipulated by an attacker to inject arbitrary SQL commands. | |||||
| CVE-2021-41691 | 1 Os4ed | 1 Opensis | 2025-07-09 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php. | |||||
| CVE-2025-22928 | 1 Os4ed | 1 Opensis | 2025-05-02 | N/A | 9.8 CRITICAL |
| OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the cp_id parameter at /modules/messages/Inbox.php. | |||||
| CVE-2025-22926 | 1 Os4ed | 1 Opensis | 2025-04-30 | N/A | 9.8 CRITICAL |
| An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename. | |||||
| CVE-2025-22929 | 1 Os4ed | 1 Opensis | 2025-04-29 | N/A | 9.8 CRITICAL |
| OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the filter_id parameter at /students/StudentFilters.php. | |||||
| CVE-2025-22930 | 1 Os4ed | 1 Opensis | 2025-04-29 | N/A | 9.8 CRITICAL |
| OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid parameter at /messaging/Group.php. | |||||
| CVE-2025-22924 | 1 Os4ed | 1 Opensis | 2025-04-29 | N/A | 8.8 HIGH |
| OS4ED openSIS v7.0 through v9.1 contains a SQL injection vulnerability via the stu_id parameter at /modules/students/Student.php. | |||||
| CVE-2025-22925 | 1 Os4ed | 1 Opensis | 2025-04-29 | N/A | 7.5 HIGH |
| OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table parameter at /attendance/AttendanceCodes.php. The remote, authenticated attacker requires the admin role to successfully exploit this vulnerability. | |||||
| CVE-2021-40617 | 1 Os4ed | 1 Opensis | 2025-04-16 | 7.5 HIGH | 9.8 CRITICAL |
| An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php. | |||||
| CVE-2014-8366 | 1 Os4ed | 1 Opensis | 2025-04-12 | 7.5 HIGH | N/A |
| SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php. | |||||
| CVE-2013-1349 | 1 Os4ed | 1 Opensis | 2025-04-11 | 7.5 HIGH | N/A |
| Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter. | |||||
| CVE-2022-45962 | 1 Os4ed | 1 Opensis | 2025-03-21 | N/A | 6.5 MEDIUM |
| Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php. | |||||
| CVE-2023-38885 | 1 Os4ed | 1 Opensis | 2024-11-21 | N/A | 8.8 HIGH |
| OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request. | |||||
| CVE-2023-38884 | 1 Os4ed | 1 Opensis | 2024-11-21 | N/A | 7.5 HIGH |
| An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>' | |||||