Vulnerabilities > Os4Ed > Opensis > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-20 | CVE-2023-38879 | Path Traversal vulnerability in Os4Ed Opensis 9.0 The Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to read arbitrary files via a directory traversal vulnerability in the 'filename' parameter of 'DownloadWindow.php'. | 7.5 |
| 2023-11-20 | CVE-2023-38884 | Authorization Bypass Through User-Controlled Key vulnerability in Os4Ed Opensis 9.0 An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>' | 7.5 |
| 2023-11-20 | CVE-2023-38885 | Cross-Site Request Forgery (CSRF) vulnerability in Os4Ed Opensis 9.0 OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. | 8.8 |
| 2022-04-11 | CVE-2022-27041 | SQL Injection vulnerability in Os4Ed Opensis 8.0 Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases. | 7.5 |
| 2022-03-03 | CVE-2021-40635 | SQL Injection vulnerability in Os4Ed Opensis 8.0 OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. | 7.5 |
| 2022-03-03 | CVE-2021-40636 | SQL Injection vulnerability in Os4Ed Opensis 8.0 OS4ED openSIS 8.0 is affected by SQL Injection in CheckDuplicateName.php, which can extract information from the database. | 7.5 |
| 2021-09-24 | CVE-2021-40309 | SQL Injection vulnerability in Os4Ed Opensis 8.0 A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. | 8.8 |
| 2020-12-04 | CVE-2020-27408 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Os4Ed Opensis 7.3/7.6 OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users. | 7.5 |
| 2020-09-01 | CVE-2020-6136 | SQL Injection vulnerability in Os4Ed Opensis 7.3 An exploitable SQL injection vulnerability exists in the DownloadWindow.php functionality of OS4Ed openSIS 7.3. | 8.8 |
| 2020-09-01 | CVE-2020-6135 | SQL Injection vulnerability in Os4Ed Opensis 7.3 An exploitable SQL injection vulnerability exists in the Validator.php functionality of OS4Ed openSIS 7.3. | 8.8 |