cbcvebase.

Os4Ed Opensis vulnerabilities

76 known vulnerabilities affecting os4ed/opensis.

Total CVEs
76
CISA KEV
0
Public exploits
11
Exploited in wild
2
Severity breakdown
CRITICAL28HIGH38MEDIUM10

Vulnerabilities

Page 4 of 4
CVE-2025-22924P3HIGHCVSS 8.8≥ 7.0, ≤ 9.12025-04-02
CVE-2025-22924 [HIGH] CWE-89 CVE-2025-22924: OS4ED openSIS v7.0 through v9.1 contains a SQL injection vulnerability via the stu_id parameter at / OS4ED openSIS v7.0 through v9.1 contains a SQL injection vulnerability via the stu_id parameter at /modules/students/Student.php.
nvd
CVE-2021-40636P3HIGHCVSS 7.5v8.02022-03-03
CVE-2021-40636 [HIGH] CWE-89 CVE-2021-40636: OS4ED openSIS 8.0 is affected by SQL Injection in CheckDuplicateName.php, which can extract informat OS4ED openSIS 8.0 is affected by SQL Injection in CheckDuplicateName.php, which can extract information from the database.
nvd
CVE-2025-22931P3HIGHCVSS 7.5≥ 7.0, ≤ 9.12025-04-03
CVE-2025-22931 [HIGH] CWE-639 CVE-2025-22931: An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members.
nvd
CVE-2014-8366P3HIGHCVSS 7.5v4.5v5.32014-10-20
CVE-2014-8366 [HIGH] CWE-89 CVE-2014-8366: SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php.
nvd
CVE-2021-40635P3HIGHCVSS 7.5v8.02022-03-03
CVE-2021-40635 [HIGH] CWE-89 CVE-2021-40635: OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. An at OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. An attacker can inject a SQL query to extract information from the database.
nvd
CVE-2025-26186P3HIGHCVSS 8.1v9.12025-07-15
CVE-2025-26186 [HIGH] CWE-89 CVE-2025-26186: SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php
nvd
CVE-2022-27041P3HIGHCVSS 7.5v8.02022-04-11
CVE-2022-27041 [HIGH] CWE-89 CVE-2022-27041: Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student. Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases.
nvd
CVE-2023-38885P3HIGHCVSS 8.8v9.02023-11-20
CVE-2023-38885 [HIGH] CWE-352 CVE-2023-38885: OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection thr OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request.
nvd
CVE-2025-22925P3HIGHCVSS 7.5≥ 7.0, ≤ 9.12025-04-02
CVE-2025-22925 [HIGH] CWE-89 CVE-2025-22925: OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table par OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table parameter at /attendance/AttendanceCodes.php. The remote, authenticated attacker requires the admin role to successfully exploit this vulnerability.
nvd
CVE-2022-45962P3MEDIUMCVSS 6.5≤ 8.02023-02-13
CVE-2022-45962 [MEDIUM] CWE-89 CVE-2022-45962: Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL In Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php.
nvd
CVE-2023-38882P4MEDIUMCVSS 6.1v9.02023-11-20
CVE-2023-38882 [MEDIUM] CWE-79 CVE-2023-38882: A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'include' parameter in 'ForExport.php'
nvd
CVE-2023-38883P4MEDIUMCVSS 6.1v9.02023-11-20
CVE-2023-38883 [MEDIUM] CWE-79 CVE-2023-38883: A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'ajax' parameter in 'ParentLookup.php'.
nvd
CVE-2023-38881P4MEDIUMCVSS 6.1v9.02023-11-20
CVE-2023-38881 [MEDIUM] CWE-79 CVE-2023-38881: A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into any of the 'calendar_id', 'school_date', 'month' or 'year' parameters in 'CalendarModal.php'.
nvd
CVE-2021-27340P4MEDIUMCVSS 6.1≤ 7.62021-09-16
CVE-2021-27340 [MEDIUM] CWE-79 CVE-2021-27340: OpenSIS Community Edition version <= 7.6 is affected by a reflected XSS vulnerability in EmailCheck. OpenSIS Community Edition version <= 7.6 is affected by a reflected XSS vulnerability in EmailCheck.php via the "opt" parameter.
nvd
CVE-2020-27409P4MEDIUMCVSS 6.1fixed in 7.52020-12-04
CVE-2020-27409 [MEDIUM] CWE-79 CVE-2020-27409: OpenSIS Community Edition before 7.5 is affected by a cross-site scripting (XSS) vulnerability in Si OpenSIS Community Edition before 7.5 is affected by a cross-site scripting (XSS) vulnerability in SideForStudent.php via the modname parameter.
nvd
CVE-2021-40637P4MEDIUMCVSS 6.1v8.02022-03-03
CVE-2021-40637 [MEDIUM] CWE-79 CVE-2021-40637: OS4ED openSIS 8.0 is affected by cross-site scripting (XSS) in EmailCheckOthers.php. An attacker can OS4ED openSIS 8.0 is affected by cross-site scripting (XSS) in EmailCheckOthers.php. An attacker can inject JavaScript code to get the user's cookie and take over the working session of user.
nvd
Os4Ed Opensis vulnerabilities | cvebase