openSIS
Products
2- 18 CVEs
- 10 CVEs
Recent CVEs
27| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13381 | Cri | 0.71 | 9.8 | 0.59 | Jul 1, 2020 | openSIS through 7.4 allows SQL Injection. | ||
| CVE-2021-40617 | Cri | 0.67 | 9.8 | 0.05 | Oct 11, 2021 | An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php. | ||
| CVE-2021-39378 | Cri | 0.66 | 9.8 | 0.23 | Sep 1, 2021 | A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter. | ||
| CVE-2020-13382 | Cri | 0.66 | 9.1 | 0.53 | Jul 1, 2020 | openSIS through 7.4 has Incorrect Access Control. | ||
| CVE-2021-41679 | Cri | 0.64 | 9.8 | 0.01 | Nov 30, 2021 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter. | ||
| CVE-2021-41678 | Cri | 0.64 | 9.8 | 0.01 | Nov 30, 2021 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter. | ||
| CVE-2021-41677 | Cri | 0.64 | 9.8 | 0.01 | Nov 30, 2021 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter. | ||
| CVE-2021-40618 | Cri | 0.64 | 9.8 | 0.01 | Oct 12, 2021 | An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php. | ||
| CVE-2021-39379 | Cri | 0.64 | 9.8 | 0.04 | Sep 1, 2021 | A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter. | ||
| CVE-2021-40353 | Cri | 0.64 | 9.8 | 0.03 | Sep 1, 2021 | A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for… | ||
| CVE-2024-35584 | Hig | 0.58 | 8.8 | 0.07 | Oct 15, 2024 | SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the… | ||
| CVE-2023-38885 | Hig | 0.57 | 8.8 | 0.00 | Nov 20, 2023 | OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request. | ||
| CVE-2020-6119 | Hig | 0.57 | 8.8 | 0.01 | Sep 1, 2020 | SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The byear parameter in the page CheckDuplicateStudent.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability. | ||
| CVE-2025-26186 | Hig | 0.53 | 8.1 | 0.00 | Jul 15, 2025 | SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php | ||
| CVE-2023-38884 | Hig | 0.49 | 7.5 | 0.01 | Nov 20, 2023 | An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/-' | ||
| CVE-2022-27041 | Hig | 0.49 | 7.5 | 0.01 | Apr 11, 2022 | Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases. | ||
| CVE-2020-27408 | Hig | 0.49 | 7.5 | 0.02 | Dec 4, 2020 | OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users. | ||
| CVE-2021-40310 | Med | 0.35 | 5.4 | 0.01 | Sep 24, 2021 | OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter. | ||
| CVE-2020-13383 | Hig | 0.09 | 7.5 | 0.70 | Jul 1, 2020 | openSIS through 7.4 allows Directory Traversal. | ||
| CVE-2013-1349 | 0.05 | — | 0.23 | Dec 9, 2013 | Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter. |
- risk 0.71cvss 9.8epss 0.59
openSIS through 7.4 allows SQL Injection.
- risk 0.67cvss 9.8epss 0.05
An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.
- risk 0.66cvss 9.8epss 0.23
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter.
- risk 0.66cvss 9.1epss 0.53
openSIS through 7.4 has Incorrect Access Control.
- risk 0.64cvss 9.8epss 0.01
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.
- risk 0.64cvss 9.8epss 0.01
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.
- risk 0.64cvss 9.8epss 0.01
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.
- risk 0.64cvss 9.8epss 0.01
An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php.
- risk 0.64cvss 9.8epss 0.04
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter.
- risk 0.64cvss 9.8epss 0.03
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for…
- risk 0.58cvss 8.8epss 0.07
SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the…
- risk 0.57cvss 8.8epss 0.00
OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request.
- risk 0.57cvss 8.8epss 0.01
SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The byear parameter in the page CheckDuplicateStudent.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
- risk 0.53cvss 8.1epss 0.00
SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php
- risk 0.49cvss 7.5epss 0.01
An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/-'
- risk 0.49cvss 7.5epss 0.01
Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases.
- risk 0.49cvss 7.5epss 0.02
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.
- risk 0.35cvss 5.4epss 0.01
OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.
- risk 0.09cvss 7.5epss 0.70
openSIS through 7.4 allows Directory Traversal.
- CVE-2013-1349Dec 9, 2013risk 0.05cvss —epss 0.23
Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter.