cbcvebase.
CVE-2020-6637
published 2020-08-24

CVE-2020-6637: openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
20.06%
97.1th percentile
openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
os4edopensis
os4edopensis

Detection & IOCsextracted from sources · hover to see the quote

url/account/index.php
url/opensis/index.php
commandUSERNAME=%27%29or%601%60%3D%601%60%3B--+-&PASSWORD=A&language=en&log=
otherUPDATE login_authentication SET FAILED_LOGIN=FAILED_LOGIN+1 WHERE UPPER(USERNAME)=UPPER(NULL)or`1`=`1`;-- -')
  • Detect CVE-2020-6637 exploitation by monitoring POST requests to index.php with a USERNAME parameter containing SQL injection payload: URL-decoded form is ')or`1`=`1`;-- -
  • A vulnerable OpenSIS instance will return the string 'SQL STATEMENT:' in the HTTP response body when the SQL injection payload is successful — use this as a confirmation matcher
  • The response body of a vulnerable instance will also echo back the raw SQL query including the injected payload string
  • Use Shodan queries 'http.title:"openSIS"' or 'http.title:"opensis"' to identify exposed OpenSIS instances for targeted scanning
  • Use FOFA query 'title="opensis"' or Google dork 'intitle:"opensis"' to discover additional exposed OpenSIS instances
  • The vulnerability also affects openSIS version 8.0 (CVE-2021-40353) via the same USERNAME parameter of index.php, suggesting the fix for CVE-2020-6637 was incomplete
  • ·The injection endpoint varies by deployment path; three candidate paths must be probed: /account/index.php, /opensis/index.php, and /index.php
  • ·The vulnerability is confirmed only when MySQL or MariaDB is used as the backend database; other database engines may not be affected
  • ·The POST request must set Content-Type to application/x-www-form-urlencoded for the injection to be processed correctly

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.