cbcvebase.
CVE-2024-51211
published 2024-11-08

CVE-2024-51211: SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.19%
80.2th percentile
SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be manipulated by an attacker to inject arbitrary SQL commands.

Affected

2 ranges
VendorProductVersion rangeFixed in
os4edopensis
os4edopensis

Detection & IOCsextracted from sources · hover to see the quote

path/ResetUserInfo.php
url/ResetUserInfo.php?user_type_form=username&uname_user_type=uname_student&username_stn_id=21+OR+3720%3dBENCHMARK(7000000,MD5(0x6e48446e))&pass=1&month_username_dob=x&day_username_dob=x&year_username_dob=x
commandusername_stn_id=21+OR+3720%3dBENCHMARK(7000000,MD5(0x6e48446e))
  • Time-based SQL injection detection: look for HTTP GET requests to /ResetUserInfo.php with a BENCHMARK() payload in the username_stn_id parameter causing response duration >= 7 seconds.
  • Confirm exploitation by checking that the HTTP 200 response body contains both 'forgotpass.php' and 'opensis' (case-insensitive), indicating a valid openSIS instance was targeted.
  • Use FOFA/Shodan queries 'title="openSIS"' or 'title:"openSIS"' to identify exposed openSIS instances for proactive scanning.
  • The vulnerable parameter is $username_stn_id in the GET request to ResetUserInfo.php; monitor web logs for BENCHMARK() or OR-based SQL injection patterns in this parameter.
  • ·The vulnerability is unauthenticated (PR:N, UI:N) and network-reachable (AV:N), meaning no credentials are required to exploit it against any exposed openSIS Classic v9.1 instance.
  • ·The exploit uses a time-based blind SQL injection technique via MySQL's BENCHMARK() function with 7,000,000 iterations; detection rules should account for a response delay threshold of >= 7 seconds.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.