cbcvebase.
CVE-2021-41691
published 2025-06-24

CVE-2021-41691: A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.72%
74.6th percentile
A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
os4edopensis

Detection & IOCsextracted from sources · hover to see the quote

url/TransferredOutModal.php?modfunc=detail
path/TransferredOutModal.php
commandstudent_id=updatexml(0x23,concat(1,md5(999999999)),1)&button=Save&TRANSFER[SCHOOL]=5&TRANSFER[Grade_Level]=5
  • Detect exploitation attempts by monitoring POST requests to /TransferredOutModal.php containing SQL injection payloads in the student_id or TRANSFER[SCHOOL] parameters, specifically looking for updatexml() or concat() function calls.
  • Successful exploitation produces a response body containing the strings '<!-- SQL STATEMENT:' and 'SELECT COUNT(STUDENT_ID)' — monitor HTTP responses for these patterns as a post-exploitation indicator.
  • Exploitation requires prior authentication; monitor for login attempts to /index.php followed immediately by POST requests to /TransferredOutModal.php, which is the two-step attack chain.
  • ·Exploitation requires valid credentials; the Nuclei template uses default credentials (student / student@123) suggesting the attack is viable against installations with default or weak credentials.
  • ·The vulnerability is confirmed against openSIS version 8.0 specifically; other versions are not referenced in the source material.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.