CVE-2020-6637
published 2020-08-24CVE-2020-6637: openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
20.06%
97.1th percentile
openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| os4ed | opensis | — | — |
| os4ed | opensis | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/account/index.php
url/opensis/index.php
commandUSERNAME=%27%29or%601%60%3D%601%60%3B--+-&PASSWORD=A&language=en&log=
otherUPDATE login_authentication SET FAILED_LOGIN=FAILED_LOGIN+1 WHERE UPPER(USERNAME)=UPPER(NULL)or`1`=`1`;-- -')
- →Detect CVE-2020-6637 exploitation by monitoring POST requests to index.php with a USERNAME parameter containing SQL injection payload: URL-decoded form is ')or`1`=`1`;-- -
- →A vulnerable OpenSIS instance will return the string 'SQL STATEMENT:' in the HTTP response body when the SQL injection payload is successful — use this as a confirmation matcher
- →The response body of a vulnerable instance will also echo back the raw SQL query including the injected payload string
- →Use Shodan queries 'http.title:"openSIS"' or 'http.title:"opensis"' to identify exposed OpenSIS instances for targeted scanning
- →Use FOFA query 'title="opensis"' or Google dork 'intitle:"opensis"' to discover additional exposed OpenSIS instances
- →The vulnerability also affects openSIS version 8.0 (CVE-2021-40353) via the same USERNAME parameter of index.php, suggesting the fix for CVE-2020-6637 was incomplete ↗
- ·The injection endpoint varies by deployment path; three candidate paths must be probed: /account/index.php, /opensis/index.php, and /index.php
- ·The vulnerability is confirmed only when MySQL or MariaDB is used as the backend database; other database engines may not be affected ↗
- ·The POST request must set Content-Type to application/x-www-form-urlencoded for the injection to be processed correctly
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7xfc-rffr-4vx2: A SQL injection vulnerability exists in version 8
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2021-40353 [CRITICAL] CWE-89 GHSA-7xfc-rffr-4vx2: A SQL injection vulnerability exists in version 8
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637.
GHSA
GHSA-hvjm-9hmq-c635: openSIS Community Edition version 7
ghsa_unreviewed·2022-05-24
CVE-2020-6637 [HIGH] GHSA-hvjm-9hmq-c635: openSIS Community Edition version 7
openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
No detection rules found.
Nuclei
OpenSIS 7.3 - SQL Injection
nuclei·CVSS 9.8
CVE-2020-6637 [CRITICAL] OpenSIS 7.3 - SQL Injection
OpenSIS 7.3 - SQL Injection
OpenSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
Template:
id: CVE-2020-6637
info:
name: OpenSIS 7.3 - SQL Injection
author: pikpikcu
severity: critical
description: OpenSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data manipulation, or data leakage.
remediation: |
Apply the latest security patch or upgrade to a patched version of OpenSIS.
reference:
- https://cinzinga.com/CVE-2020-6637/
- https://nvd.nist.gov/vuln/detail/CVE-2020-6637
- https://sourceforge.net/projects/opensis-ce/fi
No writeups or analysis indexed.
https://cinzinga.com/CVE-2020-6637/https://github.com/OS4ED/openSIS-Responsive-Design/commit/1127ae0bb7c3a2883febeabc6b71ad8d73510de8https://opensis.com/https://sourceforge.net/projects/opensis-ce/files/https://cinzinga.com/CVE-2020-6637/https://github.com/OS4ED/openSIS-Responsive-Design/commit/1127ae0bb7c3a2883febeabc6b71ad8d73510de8https://opensis.com/https://sourceforge.net/projects/opensis-ce/files/
2020-08-24
Published