VYPR

openSIS

by openSIS

Source repositories

CVEs (18)

  • CVE-2020-13381CriJul 1, 2020
    risk 0.71cvss 9.8epss 0.59

    openSIS through 7.4 allows SQL Injection.

  • CVE-2021-39378CriSep 1, 2021
    risk 0.66cvss 9.8epss 0.23

    A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter.

  • CVE-2020-13382CriJul 1, 2020
    risk 0.66cvss 9.1epss 0.53

    openSIS through 7.4 has Incorrect Access Control.

  • CVE-2021-41679CriNov 30, 2021
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.

  • CVE-2021-41678CriNov 30, 2021
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.

  • CVE-2021-41677CriNov 30, 2021
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.

  • CVE-2021-40618CriOct 12, 2021
    risk 0.64cvss 9.8epss 0.01

    An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php.

  • CVE-2021-39379CriSep 1, 2021
    risk 0.64cvss 9.8epss 0.04

    A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter.

  • CVE-2021-40353CriSep 1, 2021
    risk 0.64cvss 9.8epss 0.03

    A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for…

  • CVE-2020-6119HigSep 1, 2020
    risk 0.57cvss 8.8epss 0.01

    SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The byear parameter in the page CheckDuplicateStudent.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

  • CVE-2025-26186HigJul 15, 2025
    risk 0.53cvss 8.1epss 0.00

    SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php

  • CVE-2023-38884HigNov 20, 2023
    risk 0.49cvss 7.5epss 0.01

    An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/-'

  • CVE-2022-27041HigApr 11, 2022
    risk 0.49cvss 7.5epss 0.01

    Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases.

  • CVE-2021-40310MedSep 24, 2021
    risk 0.35cvss 5.4epss 0.01

    OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.

  • CVE-2020-13383HigJul 1, 2020
    risk 0.09cvss 7.5epss 0.70

    openSIS through 7.4 allows Directory Traversal.

  • CVE-2025-65594Dec 9, 2025
    risk 0.00cvss epss 0.00

    OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users.

  • CVE-2020-13380CriJul 1, 2020
    risk 0.00cvss 9.8epss 0.02

    openSIS before 7.4 allows SQL Injection.

  • CVE-2014-8366Oct 20, 2014
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php.