Vulnerabilities > Os4Ed
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-20 | CVE-2023-38879 | Path Traversal vulnerability in Os4Ed Opensis 9.0 The Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to read arbitrary files via a directory traversal vulnerability in the 'filename' parameter of 'DownloadWindow.php'. | 7.5 |
| 2023-11-20 | CVE-2023-38880 | Unspecified vulnerability in Os4Ed Opensis 9.0 The Community Edition version 9.0 of OS4ED's openSIS Classic has a broken access control vulnerability in the database backup functionality. | 9.8 |
| 2023-11-20 | CVE-2023-38881 | Cross-site Scripting vulnerability in Os4Ed Opensis 9.0 A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into any of the 'calendar_id', 'school_date', 'month' or 'year' parameters in 'CalendarModal.php'. | 6.1 |
| 2023-11-20 | CVE-2023-38882 | Cross-site Scripting vulnerability in Os4Ed Opensis 9.0 A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'include' parameter in 'ForExport.php' | 6.1 |
| 2023-11-20 | CVE-2023-38883 | Cross-site Scripting vulnerability in Os4Ed Opensis 9.0 A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'ajax' parameter in 'ParentLookup.php'. | 6.1 |
| 2023-11-20 | CVE-2023-38884 | Authorization Bypass Through User-Controlled Key vulnerability in Os4Ed Opensis 9.0 An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>' | 7.5 |
| 2023-11-20 | CVE-2023-38885 | Cross-Site Request Forgery (CSRF) vulnerability in Os4Ed Opensis 9.0 OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. | 8.8 |
| 2023-02-13 | CVE-2022-45962 | SQL Injection vulnerability in Os4Ed Opensis 7.3/7.6/8.0 Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php. | 6.5 |
| 2022-04-11 | CVE-2022-27041 | SQL Injection vulnerability in Os4Ed Opensis 8.0 Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases. | 7.5 |
| 2022-03-03 | CVE-2021-40637 | Cross-site Scripting vulnerability in Os4Ed Opensis 8.0 OS4ED openSIS 8.0 is affected by cross-site scripting (XSS) in EmailCheckOthers.php. | 6.1 |