712 matches found
CVE-2024-35584
SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the lack to...
CVE-2024-46626
OS4ED openSIS-Classic v9.1 was discovered to contain a SQL injection vulnerability via a crafted payload...
CVE-2023-38885
OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery CSRF protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request...
CVE-2023-38883
A reflected cross-site scripting XSS vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'ajax' parameter in 'ParentLookup.php'...
CVE-2023-38884
An Insecure Direct Object Reference IDOR vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/-'...
CVE-2023-38879
The Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to read arbitrary files via a directory traversal vulnerability in the 'filename' parameter of 'DownloadWindow.php'...
CVE-2023-38880
The Community Edition version 9.0 of OS4ED's openSIS Classic has a broken access control vulnerability in the database backup functionality. Whenever an admin generates a database backup, the backup is stored in the web root while the file name has a format of "opensisBackup.sql" e.g...
CVE-2023-38882
A reflected cross-site scripting XSS vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'include' parameter in 'ForExport.php'...
CVE-2023-38881
A reflected cross-site scripting XSS vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into any of the 'calendarid', 'schooldate', 'month' or 'year'...
CVE-2022-45962
Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php...
CVE-2022-27041
Due to lack of protection, parameter studentid in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases...
CVE-2021-41679
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter...
CVE-2021-39377
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL MariaDB is being used as the application database. A malicious attacker can issue SQL commands to the MySQL MariaDB database through the index.php username parameter...
CVE-2021-40637
OS4ED openSIS 8.0 is affected by cross-site scripting XSS in EmailCheckOthers.php. An attacker can inject JavaScript code to get the user's cookie and take over the working session of user...
CVE-2021-40636
OS4ED openSIS 8.0 is affected by SQL Injection in CheckDuplicateName.php, which can extract information from the database...
CVE-2021-40635
OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. An attacker can inject a SQL query to extract information from the database...
CVE-2021-40310
OpenSIS Community Edition version 8.0 is affected by a cross-site scripting XSS vulnerability in the TakeAttendance.php via the cpidmissattn parameter...
CVE-2021-39378
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL MariaDB is being used as the application database. A malicious attacker can issue SQL commands to the MySQL MariaDB database through the NamesList.php str parameter...
CVE-2021-39379
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL MariaDB is being used as the application database. A malicious attacker can issue SQL commands to the MySQL MariaDB database through the ResetUserInfo.php passwordstnid parameter...
CVE-2020-27408
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users...