openSIS
by openSIS
Source repositories
CVEs (18)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13381 | Cri | 0.71 | 9.8 | 0.59 | Jul 1, 2020 | openSIS through 7.4 allows SQL Injection. | ||
| CVE-2021-39378 | Cri | 0.66 | 9.8 | 0.23 | Sep 1, 2021 | A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter. | ||
| CVE-2020-13382 | Cri | 0.66 | 9.1 | 0.53 | Jul 1, 2020 | openSIS through 7.4 has Incorrect Access Control. | ||
| CVE-2021-41679 | Cri | 0.64 | 9.8 | 0.01 | Nov 30, 2021 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter. | ||
| CVE-2021-41678 | Cri | 0.64 | 9.8 | 0.01 | Nov 30, 2021 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter. | ||
| CVE-2021-41677 | Cri | 0.64 | 9.8 | 0.01 | Nov 30, 2021 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter. | ||
| CVE-2021-40618 | Cri | 0.64 | 9.8 | 0.01 | Oct 12, 2021 | An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php. | ||
| CVE-2021-39379 | Cri | 0.64 | 9.8 | 0.04 | Sep 1, 2021 | A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter. | ||
| CVE-2021-40353 | Cri | 0.64 | 9.8 | 0.03 | Sep 1, 2021 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for… | ||
| CVE-2020-6119 | Hig | 0.57 | 8.8 | 0.01 | Sep 1, 2020 | SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The byear parameter in the page CheckDuplicateStudent.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability. | ||
| CVE-2025-26186 | Hig | 0.53 | 8.1 | 0.00 | Jul 15, 2025 | SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php | ||
| CVE-2023-38884 | Hig | 0.49 | 7.5 | 0.01 | Nov 20, 2023 | An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/-' | ||
| CVE-2022-27041 | Hig | 0.49 | 7.5 | 0.01 | Apr 11, 2022 | Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases. | ||
| CVE-2021-40310 | Med | 0.35 | 5.4 | 0.01 | Sep 24, 2021 | OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter. | ||
| CVE-2020-13383 | Hig | 0.09 | 7.5 | 0.70 | Jul 1, 2020 | openSIS through 7.4 allows Directory Traversal. | ||
| CVE-2025-65594 | 0.00 | — | 0.00 | Dec 9, 2025 | OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users. | |||
| CVE-2020-13380 | Cri | 0.00 | 9.8 | 0.02 | Jul 1, 2020 | openSIS before 7.4 allows SQL Injection. | ||
| CVE-2014-8366 | 0.00 | — | 0.02 | Oct 20, 2014 | SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php. |
- risk 0.71cvss 9.8epss 0.59
openSIS through 7.4 allows SQL Injection.
- risk 0.66cvss 9.8epss 0.23
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter.
- risk 0.66cvss 9.1epss 0.53
openSIS through 7.4 has Incorrect Access Control.
- risk 0.64cvss 9.8epss 0.01
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.
- risk 0.64cvss 9.8epss 0.01
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.
- risk 0.64cvss 9.8epss 0.01
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.
- risk 0.64cvss 9.8epss 0.01
An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php.
- risk 0.64cvss 9.8epss 0.04
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter.
- risk 0.64cvss 9.8epss 0.03
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for…
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The byear parameter in the page CheckDuplicateStudent.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
- risk 0.53cvss 8.1epss 0.00
SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php
- risk 0.49cvss 7.5epss 0.01
An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/-'
- risk 0.49cvss 7.5epss 0.01
Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases.
- risk 0.35cvss 5.4epss 0.01
OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.
- risk 0.09cvss 7.5epss 0.70
openSIS through 7.4 allows Directory Traversal.
- CVE-2025-65594Dec 9, 2025risk 0.00cvss —epss 0.00
OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users.
- risk 0.00cvss 9.8epss 0.02
openSIS before 7.4 allows SQL Injection.
- CVE-2014-8366Oct 20, 2014risk 0.00cvss —epss 0.02
SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php.