Opensis Security Vulnerabilities and Issues — Opensis CVE List

Lucene search

Os4edOpensis

79 matches found

CVE•added 2020/07/01 3:15 p.m.•82 views

CVE-2020-13381

openSIS through 7.4 allows SQL Injection.

9.8CVSS9.6AI score0.46005EPSS

CVE•added 2020/07/01 3:15 p.m.•79 views

CVE-2020-13382

openSIS through 7.4 has Incorrect Access Control.

9.1CVSS9.2AI score0.58623EPSS

CVE•added 2022/03/03 2:15 p.m.•77 views

CVE-2021-40635

OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. An attacker can inject a SQL query to extract information from the database.

7.5CVSS7.6AI score0.00364EPSS

CVE•added 2020/12/04 4:15 p.m.•73 views

CVE-2020-27409

OpenSIS Community Edition before 7.5 is affected by a cross-site scripting (XSS) vulnerability in SideForStudent.php via the modname parameter.

6.1CVSS6AI score0.00419EPSS

CVE•added 2020/07/01 3:15 p.m.•72 views

CVE-2020-13383

openSIS through 7.4 allows Directory Traversal.

7.5CVSS7.5AI score0.42118EPSS

CVE•added 2013/12/09 4:36 p.m.•70 views

CVE-2013-1349

Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter.

7.5CVSS7.8AI score0.70857EPSS

CVE•added 2021/09/24 4:15 p.m.•66 views

CVE-2021-40310

OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.

5.4CVSS5.2AI score0.00464EPSS

CVE•added 2022/03/03 2:15 p.m.•64 views

CVE-2021-40636

OS4ED openSIS 8.0 is affected by SQL Injection in CheckDuplicateName.php, which can extract information from the database.

7.5CVSS7.8AI score0.00364EPSS

CVE•added 2022/03/03 3:15 p.m.•62 views

CVE-2021-40637

OS4ED openSIS 8.0 is affected by cross-site scripting (XSS) in EmailCheckOthers.php. An attacker can inject JavaScript code to get the user's cookie and take over the working session of user.

6.1CVSS5.9AI score0.00258EPSS

CVE•added 2022/04/11 2:15 p.m.•62 views

CVE-2022-27041

Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases.

7.5CVSS7.5AI score0.00412EPSS

CVE•added 2021/09/29 12:15 p.m.•59 views

CVE-2021-40651

OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose arbitrary file from the server's filesystem as long as the application has access to the file.

6.5CVSS6.3AI score0.55433EPSS

CVE•added 2020/09/01 6:15 p.m.•55 views

CVE-2020-6136

An exploitable SQL injection vulnerability exists in the DownloadWindow.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

8.8CVSS8.9AI score0.01726EPSS

CVE•added 2021/09/01 1:15 p.m.•55 views

CVE-2021-39377

A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter.

9.8CVSS9.8AI score0.06999EPSS

CVE•added 2024/11/08 7:15 p.m.•55 views

CVE-2024-51211

SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be manipulated by an attacker to inject arbitrary SQL commands.

9.8CVSS7.9AI score0.04704EPSS

CVE•added 2021/09/01 1:15 a.m.•54 views

CVE-2021-40353

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637.

9.8CVSS9.9AI score0.85184EPSS

CVE•added 2020/09/01 9:15 p.m.•49 views

CVE-2020-6142

A remote code execution vulnerability exists in the Modules.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can cause local file inclusion. An attacker can send an HTTP request to trigger this vulnerability.

9.9CVSS9.5AI score0.32266EPSS

CVE•added 2021/10/11 1:15 p.m.•49 views

CVE-2021-40542

Opensis-Classic Version 8.0 is affected by cross-site scripting (XSS). An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php.

6.1CVSS6.2AI score0.15266EPSS

CVE•added 2025/04/03 2:15 p.m.•48 views

CVE-2025-22926

An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.

9.8CVSS7.3AI score0.00794EPSS

CVE•added 2025/06/24 4:15 p.m.•47 views

CVE-2021-41691

A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php.

9.8CVSS6.6AI score0.04727EPSS

CVE•added 2024/10/02 5:15 p.m.•47 views

CVE-2024-46626

OS4ED openSIS-Classic v9.1 was discovered to contain a SQL injection vulnerability via a crafted payload.

8.8CVSS8.3AI score0.00133EPSS

CVE•added 2020/09/01 2:15 p.m.•45 views

CVE-2020-6123

An exploitable sql injection vulnerability exists in the email parameter functionality of OS4Ed openSIS 7.3. The email parameter in the page EmailCheck.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

8.8CVSS8.9AI score0.00458EPSS

CVE•added 2021/09/01 1:15 p.m.•44 views

CVE-2021-39378

9.8CVSS9.8AI score0.25373EPSS

CVE•added 2025/04/02 9:15 p.m.•44 views

CVE-2025-22924

OS4ED openSIS v7.0 through v9.1 contains a SQL injection vulnerability via the stu_id parameter at /modules/students/Student.php.

8.8CVSS8.2AI score0.00045EPSS

CVE•added 2025/04/03 2:15 p.m.•44 views

CVE-2025-22929

OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the filter_id parameter at /students/StudentFilters.php.

9.8CVSS8.5AI score0.00046EPSS

CVE•added 2020/12/04 4:15 p.m.•43 views

CVE-2020-27408

OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.

7.5CVSS7.7AI score0.01184EPSS

CVE•added 2025/04/02 9:15 p.m.•43 views

CVE-2025-22925

OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table parameter at /attendance/AttendanceCodes.php. The remote, authenticated attacker requires the admin role to successfully exploit this vulnerability.

7.5CVSS8.2AI score0.00113EPSS

CVE•added 2014/10/20 6:55 p.m.•42 views

CVE-2014-8366

SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php.

7.5CVSS8.8AI score0.0036EPSS

CVE•added 2020/09/01 3:15 p.m.•42 views

CVE-2020-6127

SQL injection vulnerability exists in the CoursePeriodModal.php page of OS4Ed openSIS 7.3. The id parameter in the page CoursePeriodModal.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

8.8CVSS8.9AI score0.00392EPSS

CVE•added 2020/09/01 9:15 p.m.•42 views

CVE-2020-6143

A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The password variable which is set at line 122 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An attacker can send an HTTP request to trigger this vulnerabil...

10CVSS10AI score0.10783EPSS

CVE•added 2021/09/01 1:15 p.m.•42 views

CVE-2021-39379

9.8CVSS9.8AI score0.06999EPSS

CVE•added 2025/04/03 1:15 p.m.•42 views

CVE-2025-22927

An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.

9.1CVSS7.3AI score0.00745EPSS

CVE•added 2021/10/11 7:15 p.m.•41 views

CVE-2021-40617

An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.

9.8CVSS9.9AI score0.00404EPSS

CVE•added 2025/04/02 9:15 p.m.•41 views

CVE-2025-22923

An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and delete files by sending a crafted POST request to /Modules.php?modname=users/Staff.php&removefile.

8.8CVSS7.4AI score0.00861EPSS

CVE•added 2020/09/01 2:15 p.m.•40 views

CVE-2020-6130

SQL injection vulnerabilities exist in the course_period_id parameters used in OS4Ed openSIS 7.3 pages. The course_period_id parameter in the page MassDropSessionSet.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.

8.8CVSS9.1AI score0.00392EPSS

CVE•added 2020/09/01 9:15 p.m.•40 views

CVE-2020-6140

SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The password_stf_email parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

9.8CVSS9.9AI score0.00717EPSS

CVE•added 2020/09/01 6:15 p.m.•39 views

CVE-2020-6141

An exploitable SQL injection vulnerability exists in the login functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

9.8CVSS9.8AI score0.10825EPSS

CVE•added 2020/08/24 7:15 p.m.•39 views

CVE-2020-6637

openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.

9.8CVSS9.7AI score0.85184EPSS

CVE•added 2020/09/01 3:15 p.m.•38 views

CVE-2020-6124

An exploitable sql injection vulnerability exists in the email parameter functionality of OS4Ed openSIS 7.3. The email parameter in the page EmailCheckOthers.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

8.8CVSS8.9AI score0.00392EPSS

CVE•added 2020/09/01 3:15 p.m.•38 views

CVE-2020-6134

SQL injection vulnerabilities exist in the ID parameters of OS4Ed openSIS 7.3 pages. The id parameter in the page MassDropModal.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

8.8CVSS9.1AI score0.00392EPSS

CVE•added 2020/09/01 9:15 p.m.•38 views

CVE-2020-6138

SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The uname parameter in the password reset page /opensis/ResetUserInfo.php is vulnerable to SQL injection An attacker can send an HTTP request to trigger this vulnerability.

9.8CVSS9.8AI score0.00717EPSS

CVE•added 2025/04/03 2:15 p.m.•38 views

CVE-2025-22930

OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid parameter at /messaging/Group.php.

9.8CVSS8.5AI score0.00046EPSS

CVE•added 2020/09/01 2:15 p.m.•37 views

CVE-2020-6118

SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The bmonth parameter in the page CheckDuplicateStudent.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

8.8CVSS9.1AI score0.00458EPSS

CVE•added 2020/09/01 3:15 p.m.•36 views

CVE-2020-6125

An exploitable SQL injection vulnerability exists in the GetSchool.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

8.8CVSS8.9AI score0.01726EPSS

CVE•added 2020/09/01 9:15 p.m.•36 views

CVE-2020-6137

9.8CVSS9.9AI score0.00717EPSS

CVE•added 2021/10/12 6:15 p.m.•36 views

CVE-2021-40618

An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php.

9.8CVSS9.9AI score0.00383EPSS

CVE•added 2020/09/01 3:15 p.m.•35 views

CVE-2020-6128

SQL injection vulnerability exists in the CoursePeriodModal.php page of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. The meet_date parameter in the page CoursePeriodModal.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trig...

8.8CVSS8.9AI score0.01726EPSS

CVE•added 2020/09/01 3:15 p.m.•35 views

CVE-2020-6132

SQL injection vulnerability exists in the ID parameters of OS4Ed openSIS 7.3 pages. The id parameter in the page ChooseCP.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

8.8CVSS8.9AI score0.00392EPSS

CVE•added 2023/11/20 7:15 p.m.•35 views

CVE-2023-38881

A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into any of the 'calendar_id', 'school_date', 'month' or 'year'...

6.1CVSS6AI score0.00167EPSS

CVE•added 2025/04/03 1:15 p.m.•35 views

CVE-2025-22928

OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the cp_id parameter at /modules/messages/Inbox.php.

9.8CVSS8.5AI score0.00046EPSS

CVE•added 2025/04/03 2:15 p.m.•35 views

CVE-2025-22931

An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members.

7.5CVSS7.2AI score0.00067EPSS

Total number of security vulnerabilities79