VYPR
Vendor

openSIS

Products
2
CVEs
27
Across products
28
Status
Private

Products

2

Recent CVEs

27
View all 27 CVEs →
  • CVE-2020-13381CriJul 1, 2020
    risk 0.71cvss 9.8epss 0.59

    openSIS through 7.4 allows SQL Injection.

  • CVE-2021-40617CriOct 11, 2021
    risk 0.67cvss 9.8epss 0.05

    An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.

  • CVE-2021-39378CriSep 1, 2021
    risk 0.66cvss 9.8epss 0.23

    A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter.

  • CVE-2020-13382CriJul 1, 2020
    risk 0.66cvss 9.1epss 0.53

    openSIS through 7.4 has Incorrect Access Control.

  • CVE-2021-41679CriNov 30, 2021
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.

  • CVE-2021-41678CriNov 30, 2021
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.

  • CVE-2021-41677CriNov 30, 2021
    risk 0.64cvss 9.8epss 0.01

    A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.

  • CVE-2021-40618CriOct 12, 2021
    risk 0.64cvss 9.8epss 0.01

    An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php.

  • CVE-2021-39379CriSep 1, 2021
    risk 0.64cvss 9.8epss 0.04

    A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter.

  • CVE-2021-40353CriSep 1, 2021
    risk 0.64cvss 9.8epss 0.03

    A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for…

  • CVE-2024-35584HigOct 15, 2024
    risk 0.58cvss 8.8epss 0.07

    SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the…

  • CVE-2023-38885HigNov 20, 2023
    risk 0.57cvss 8.8epss 0.00

    OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request.

  • CVE-2020-6119HigSep 1, 2020
    risk 0.57cvss 8.8epss 0.01

    SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The byear parameter in the page CheckDuplicateStudent.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

  • CVE-2025-26186HigJul 15, 2025
    risk 0.53cvss 8.1epss 0.00

    SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php

  • CVE-2023-38884HigNov 20, 2023
    risk 0.49cvss 7.5epss 0.01

    An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/-'

  • CVE-2022-27041HigApr 11, 2022
    risk 0.49cvss 7.5epss 0.01

    Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases.

  • CVE-2020-27408HigDec 4, 2020
    risk 0.49cvss 7.5epss 0.02

    OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.

  • CVE-2021-40310MedSep 24, 2021
    risk 0.35cvss 5.4epss 0.01

    OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.

  • CVE-2020-13383HigJul 1, 2020
    risk 0.09cvss 7.5epss 0.70

    openSIS through 7.4 allows Directory Traversal.

  • CVE-2013-1349Dec 9, 2013
    risk 0.05cvss epss 0.23

    Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter.