CVE-2019-14754
Open-School 3.0 and Community Edition 2.3 are affected by an SQL injection via index.php?r=students/students/document id parameter. The root cause is lack of validation of externally entered SQL statements in the database-based application, allowing an attacker to execute arbitrary SQL commands. ...