Os4Ed Opensis vulnerabilities
76 known vulnerabilities affecting os4ed/opensis.
Total CVEs
76
CISA KEV
0
Public exploits
11
Exploited in wild
2
Severity breakdown
CRITICAL28HIGH38MEDIUM10
Vulnerabilities
Page 2 of 4
CVE-2020-6141P3CRITICALCVSS 9.8v7.32020-09-01
CVE-2020-6141 [CRITICAL] CWE-89 CVE-2020-6141: An exploitable SQL injection vulnerability exists in the login functionality of OS4Ed openSIS 7.3. A
An exploitable SQL injection vulnerability exists in the login functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can send an HTTP request to trigger this vulnerability.
nvd
CVE-2021-40309P3HIGHCVSS 8.8v8.02021-09-24
CVE-2021-40309 [HIGH] CWE-89 CVE-2021-40309: A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. al
A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger t
nvd
CVE-2021-39377P3CRITICALCVSS 9.8v8.02021-09-01
CVE-2021-39377 [CRITICAL] CWE-89 CVE-2021-39377: A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the applic
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter.
nvd
CVE-2021-41678P3CRITICALCVSS 9.8v8.02021-11-30
CVE-2021-41678 [CRITICAL] CWE-89 CVE-2021-41678: A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.
nvd
CVE-2021-41679P3CRITICALCVSS 9.8v8.02021-11-30
CVE-2021-41679 [CRITICAL] CWE-89 CVE-2021-41679: A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.
nvd
CVE-2021-40353P3CRITICALCVSS 9.8v8.02021-09-01
CVE-2021-40353 [CRITICAL] CVE-2021-40353: A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637.
nvd
CVE-2021-41677P3CRITICALCVSS 9.8v8.02021-11-30
CVE-2021-41677 [CRITICAL] CWE-89 CVE-2021-41677: A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.
nvd
CVE-2025-22926P3CRITICALCVSS 9.8≥ 8.0, ≤ 9.12025-04-03
CVE-2025-22926 [CRITICAL] CWE-22 CVE-2025-22926: An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sen
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
nvd
CVE-2025-22927P3CRITICALCVSS 9.1≥ 8.0, ≤ 9.12025-04-03
CVE-2025-22927 [CRITICAL] CWE-22 CVE-2025-22927: An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sen
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
nvd
CVE-2025-22923P3HIGHCVSS 8.8≥ 8.0, ≤ 9.12025-04-02
CVE-2025-22923 [HIGH] CWE-22 CVE-2025-22923: An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and de
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and delete files by sending a crafted POST request to /Modules.php?modname=users/Staff.php&removefile.
nvd
CVE-2020-27408P3HIGHCVSS 7.5≤ 7.62020-12-04
CVE-2020-27408 [HIGH] CWE-287 CVE-2020-27408: OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUse
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.
nvd
CVE-2025-65594P3HIGHCVSS 8.1≤ 9.22025-12-09
CVE-2025-65594 [HIGH] CWE-284 CVE-2025-65594: OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an auth
OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users.
nvd
CVE-2020-6125P3HIGHCVSS 8.8v7.32020-09-01
CVE-2020-6125 [HIGH] CWE-89 CVE-2020-6125: An exploitable SQL injection vulnerability exists in the GetSchool.php functionality of OS4Ed openSI
An exploitable SQL injection vulnerability exists in the GetSchool.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
nvd
CVE-2020-6136P3HIGHCVSS 8.8v7.32020-09-01
CVE-2020-6136 [HIGH] CWE-89 CVE-2020-6136: An exploitable SQL injection vulnerability exists in the DownloadWindow.php functionality of OS4Ed o
An exploitable SQL injection vulnerability exists in the DownloadWindow.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
nvd
CVE-2020-6135P3HIGHCVSS 8.8v7.32020-09-01
CVE-2020-6135 [HIGH] CWE-89 CVE-2020-6135: An exploitable SQL injection vulnerability exists in the Validator.php functionality of OS4Ed openSI
An exploitable SQL injection vulnerability exists in the Validator.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
nvd
CVE-2020-6128P3HIGHCVSS 8.8v7.32020-09-01
CVE-2020-6128 [HIGH] CWE-89 CVE-2020-6128: SQL injection vulnerability exists in the CoursePeriodModal.php page of OS4Ed openSIS 7.3. A special
SQL injection vulnerability exists in the CoursePeriodModal.php page of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. The meet_date parameter in the page CoursePeriodModal.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
nvd
CVE-2025-22929P3CRITICALCVSS 9.8≥ 7.0, ≤ 9.12025-04-03
CVE-2025-22929 [CRITICAL] CWE-89 CVE-2025-22929: OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the filter_id
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the filter_id parameter at /students/StudentFilters.php.
nvd
CVE-2025-22930P3CRITICALCVSS 9.8≥ 7.0, ≤ 9.12025-04-03
CVE-2025-22930 [CRITICAL] CWE-89 CVE-2025-22930: OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid p
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid parameter at /messaging/Group.php.
nvd
CVE-2020-6124P3HIGHCVSS 8.8v7.32020-09-01
CVE-2020-6124 [HIGH] CWE-89 CVE-2020-6124: An exploitable sql injection vulnerability exists in the email parameter functionality of OS4Ed open
An exploitable sql injection vulnerability exists in the email parameter functionality of OS4Ed openSIS 7.3. The email parameter in the page EmailCheckOthers.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
nvd
CVE-2020-6123P3HIGHCVSS 8.8v7.32020-09-01
CVE-2020-6123 [HIGH] CWE-89 CVE-2020-6123: An exploitable sql injection vulnerability exists in the email parameter functionality of OS4Ed open
An exploitable sql injection vulnerability exists in the email parameter functionality of OS4Ed openSIS 7.3. The email parameter in the page EmailCheck.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
nvd