Opensis

opensis

Vendor: Os4ed • 80 CVEs

CVEs (80)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-65594 1Os4ed 1Opensis Dec 11, 2025 Dec 9, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users.
CVE-2025-26186 1Os4ed 1Opensis Jul 17, 2025 Jul 15, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php
CVE-2021-41691 1Os4ed 1Opensis Jul 9, 2025 Jun 24, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php.
CVE-2025-22931 1Os4ed 1Opensis Jul 17, 2025 Apr 3, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members.
CVE-2025-22930 1Os4ed 1Opensis Apr 29, 2025 Apr 3, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid parameter at /messaging/Group.php.
CVE-2025-22929 1Os4ed 1Opensis Apr 29, 2025 Apr 3, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the filter_id parameter at /students/StudentFilters.php.
CVE-2025-22926 1Os4ed 1Opensis Apr 30, 2025 Apr 3, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
CVE-2025-22928 1Os4ed 1Opensis May 2, 2025 Apr 3, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the cp_id parameter at /modules/messages/Inbox.php.
CVE-2025-22927 1Os4ed 1Opensis Jul 17, 2025 Apr 3, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
CVE-2025-22925 1Os4ed 1Opensis Apr 29, 2025 Apr 2, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table parameter at /attendance/AttendanceCodes.php. The remote, authenticated attacker requires the admin role to successfully ex...Show more OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table parameter at /attendance/AttendanceCodes.php. The remote, authenticated attacker requires the admin role to successfully exploit this vulnerability.Show less
CVE-2025-22924 1Os4ed 1Opensis Apr 29, 2025 Apr 2, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 OS4ED openSIS v7.0 through v9.1 contains a SQL injection vulnerability via the stu_id parameter at /modules/students/Student.php.
CVE-2025-22923 1Os4ed 1Opensis Jul 17, 2025 Apr 2, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and delete files by sending a crafted POST request to /Modules.php?modname=users/Staff.php&removefile.
CVE-2024-51211 1Os4ed 1Opensis Jul 17, 2025 Nov 8, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be m...Show more SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be manipulated by an attacker to inject arbitrary SQL commands.Show less
CVE-2024-35584 1Os4ed 1Opensis Jul 17, 2025 Oct 15, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for...Show more SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the lack to sanitisation. The application takes arbitrary value from "X-Forwarded-For" header and appends it to a SQL INSERT statement directly, leading to SQL Injection.Show less
CVE-2024-46626 1Os4ed 1Opensis Jul 17, 2025 Oct 2, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 OS4ED openSIS-Classic v9.1 was discovered to contain a SQL injection vulnerability via a crafted payload.
CVE-2023-38885 1Os4ed 1Opensis Nov 21, 2024 Nov 20, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state chang...Show more OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request.Show less
CVE-2023-38884 1Os4ed 1Opensis Nov 21, 2024 Nov 20, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<...Show more An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>'Show less
CVE-2023-38883 1Os4ed 1Opensis Nov 21, 2024 Nov 20, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a ma...Show more A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'ajax' parameter in 'ParentLookup.php'.Show less
CVE-2023-38882 1Os4ed 1Opensis Nov 21, 2024 Nov 20, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a ma...Show more A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'include' parameter in 'ForExport.php'Show less
CVE-2023-38881 1Os4ed 1Opensis Nov 21, 2024 Nov 20, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a ma...Show more A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into any of the 'calendar_id', 'school_date', 'month' or 'year' parameters in 'CalendarModal.php'.Show less

12 3 4 Next