Vulnerabilities > Os4Ed > Opensis > 9.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-20 | CVE-2023-38879 | Path Traversal vulnerability in Os4Ed Opensis 9.0 The Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to read arbitrary files via a directory traversal vulnerability in the 'filename' parameter of 'DownloadWindow.php'. | 7.5 |
| 2023-11-20 | CVE-2023-38880 | Unspecified vulnerability in Os4Ed Opensis 9.0 The Community Edition version 9.0 of OS4ED's openSIS Classic has a broken access control vulnerability in the database backup functionality. | 9.8 |
| 2023-11-20 | CVE-2023-38881 | Cross-site Scripting vulnerability in Os4Ed Opensis 9.0 A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into any of the 'calendar_id', 'school_date', 'month' or 'year' parameters in 'CalendarModal.php'. | 6.1 |
| 2023-11-20 | CVE-2023-38882 | Cross-site Scripting vulnerability in Os4Ed Opensis 9.0 A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'include' parameter in 'ForExport.php' | 6.1 |
| 2023-11-20 | CVE-2023-38883 | Cross-site Scripting vulnerability in Os4Ed Opensis 9.0 A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'ajax' parameter in 'ParentLookup.php'. | 6.1 |
| 2023-11-20 | CVE-2023-38884 | Authorization Bypass Through User-Controlled Key vulnerability in Os4Ed Opensis 9.0 An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>' | 7.5 |
| 2023-11-20 | CVE-2023-38885 | Cross-Site Request Forgery (CSRF) vulnerability in Os4Ed Opensis 9.0 OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. | 8.8 |