Filtered by vendor Os4ed
Subscriptions
Total
72 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-22926 | 1 Os4ed | 1 Opensis | 2025-04-30 | 9.8 Critical |
| An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename. | ||||
| CVE-2025-22929 | 1 Os4ed | 1 Opensis | 2025-04-29 | 9.8 Critical |
| OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the filter_id parameter at /students/StudentFilters.php. | ||||
| CVE-2025-22930 | 1 Os4ed | 1 Opensis | 2025-04-29 | 9.8 Critical |
| OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid parameter at /messaging/Group.php. | ||||
| CVE-2025-22924 | 1 Os4ed | 1 Opensis | 2025-04-29 | 8.8 High |
| OS4ED openSIS v7.0 through v9.1 contains a SQL injection vulnerability via the stu_id parameter at /modules/students/Student.php. | ||||
| CVE-2025-22925 | 1 Os4ed | 1 Opensis | 2025-04-29 | 7.5 High |
| OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table parameter at /attendance/AttendanceCodes.php. The remote, authenticated attacker requires the admin role to successfully exploit this vulnerability. | ||||
| CVE-2021-40617 | 1 Os4ed | 1 Opensis | 2025-04-16 | 9.8 Critical |
| An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php. | ||||
| CVE-2014-8366 | 1 Os4ed | 1 Opensis | 2025-04-12 | N/A |
| SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php. | ||||
| CVE-2013-1349 | 1 Os4ed | 1 Opensis | 2025-04-11 | N/A |
| Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter. | ||||
| CVE-2022-45962 | 1 Os4ed | 1 Opensis | 2025-03-21 | 6.5 Medium |
| Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php. | ||||
| CVE-2024-51211 | 1 Os4ed | 1 Opensis-classic | 2024-11-21 | 9.8 Critical |
| SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be manipulated by an attacker to inject arbitrary SQL commands. | ||||
| CVE-2023-38885 | 1 Os4ed | 1 Opensis | 2024-11-21 | 8.8 High |
| OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request. | ||||
| CVE-2023-38884 | 1 Os4ed | 1 Opensis | 2024-11-21 | 7.5 High |
| An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>' | ||||
| CVE-2023-38883 | 1 Os4ed | 1 Opensis | 2024-11-21 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'ajax' parameter in 'ParentLookup.php'. | ||||
| CVE-2023-38882 | 1 Os4ed | 1 Opensis | 2024-11-21 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'include' parameter in 'ForExport.php' | ||||
| CVE-2023-38881 | 1 Os4ed | 1 Opensis | 2024-11-21 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into any of the 'calendar_id', 'school_date', 'month' or 'year' parameters in 'CalendarModal.php'. | ||||
| CVE-2023-38880 | 1 Os4ed | 1 Opensis | 2024-11-21 | 9.8 Critical |
| The Community Edition version 9.0 of OS4ED's openSIS Classic has a broken access control vulnerability in the database backup functionality. Whenever an admin generates a database backup, the backup is stored in the web root while the file name has a format of "opensisBackup<date>.sql" (e.g. "opensisBackup07-20-2023.sql"), i.e. can easily be guessed. This file can be accessed by any unauthenticated actor and contains a dump of the whole database including password hashes. | ||||
| CVE-2023-38879 | 1 Os4ed | 1 Opensis | 2024-11-21 | 7.5 High |
| The Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to read arbitrary files via a directory traversal vulnerability in the 'filename' parameter of 'DownloadWindow.php'. | ||||
| CVE-2022-27041 | 1 Os4ed | 1 Opensis | 2024-11-21 | 7.5 High |
| Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases. | ||||
| CVE-2021-41679 | 1 Os4ed | 1 Opensis | 2024-11-21 | 9.8 Critical |
| A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter. | ||||
| CVE-2021-41678 | 1 Os4ed | 1 Opensis | 2024-11-21 | 9.8 Critical |
| A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter. | ||||