Home/Product/os4ed opensis
Product

os4ed opensis

80 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-65594
<= 9.2
OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user t
8.1HIGH
 CVE-2025-26186
all versions
SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php
8.1HIGH
 CVE-2021-41691
all versions
A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCH
9.8CRITICAL
 CVE-2025-22931
>= 7.0 and <= 9.1
An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticate
7.5HIGH
 CVE-2025-22930
>= 7.0 and <= 9.1
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid parameter at /messaging/Group.p
9.8CRITICAL
 CVE-2025-22929
>= 7.0 and <= 9.1
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the filter_id parameter at /students/Studen
9.8CRITICAL
 CVE-2025-22926
>= 8.0 and <= 9.1
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to
9.8CRITICAL
 CVE-2025-22928
>= 7.0 and <= 9.1
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the cp_id parameter at /modules/messages/In
9.8CRITICAL
 CVE-2025-22927
>= 8.0 and <= 9.1
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to
9.1CRITICAL
 CVE-2025-22925
>= 7.0 and <= 9.1
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table parameter at /attendance/Attendan
7.5HIGH
 CVE-2025-22924
>= 7.0 and <= 9.1
OS4ED openSIS v7.0 through v9.1 contains a SQL injection vulnerability via the stu_id parameter at /modules/students/Student.php.
8.8HIGH
 CVE-2025-22923
>= 8.0 and <= 9.1
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and delete files by sending a crafte
8.8HIGH
 CVE-2024-51211
all versions
SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerabi
9.8CRITICAL
 CVE-2024-35584
all versions
SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php
8.8HIGH
 CVE-2024-46626
all versions
OS4ED openSIS-Classic v9.1 was discovered to contain a SQL injection vulnerability via a crafted payload.
8.8HIGH
 CVE-2023-38885
all versions
OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This ma
8.8HIGH
 CVE-2023-38884
all versions
An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthe
7.5HIGH
 CVE-2023-38883
all versions
A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote
6.1MEDIUM
 CVE-2023-38882
all versions
A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote
6.1MEDIUM
 CVE-2023-38881
all versions
A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote
6.1MEDIUM
 CVE-2023-38880
all versions
The Community Edition version 9.0 of OS4ED's openSIS Classic has a broken access control vulnerability in the database backup func
9.8CRITICAL
 CVE-2023-38879
all versions
The Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to read arbitrary files via a directory trave
7.5HIGH
 CVE-2022-45962
<= 8.0
Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php.
6.5MEDIUM
 CVE-2022-27041
all versions
Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL
7.5HIGH
 CVE-2021-40637
all versions
OS4ED openSIS 8.0 is affected by cross-site scripting (XSS) in EmailCheckOthers.php. An attacker can inject JavaScript code to get
6.1MEDIUM
 CVE-2021-40636
all versions
OS4ED openSIS 8.0 is affected by SQL Injection in CheckDuplicateName.php, which can extract information from the database.
7.5HIGH
 CVE-2021-40635
all versions
OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. An attacker can inject a SQL query
7.5HIGH
 CVE-2021-41679
all versions
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attac
9.8CRITICAL
 CVE-2021-41678
all versions
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attac
9.8CRITICAL
 CVE-2021-41677
all versions
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attac
9.8CRITICAL
 CVE-2021-40618
all versions
An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4)
9.8CRITICAL
 CVE-2021-40617
all versions
An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.
9.8CRITICAL
 CVE-2021-40543
all versions
Opensis-Classic Version 8.0 is affected by a SQL injection vulnerability due to a lack of sanitization of input data at two parame
9.8CRITICAL
 CVE-2021-40542
all versions
Opensis-Classic Version 8.0 is affected by cross-site scripting (XSS). An unauthenticated user can inject and execute JavaScript c
6.1MEDIUM
 CVE-2021-40651
all versions
OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can di
6.5MEDIUM
 CVE-2021-40310
all versions
OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the
5.4MEDIUM
 CVE-2021-40309
all versions
A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject the
8.8HIGH
 CVE-2021-27341
<= 7.6
OpenSIS Community Edition version <= 7.6 is affected by a local file inclusion vulnerability in DownloadWindow.php via the "filena
9.8CRITICAL
 CVE-2021-27340
<= 7.6
OpenSIS Community Edition version <= 7.6 is affected by a reflected XSS vulnerability in EmailCheck.php via the "opt" parameter.
6.1MEDIUM
 CVE-2021-39379
all versions
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious at
9.8CRITICAL
 CVE-2021-39378
all versions
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious at
9.8CRITICAL
 CVE-2021-39377
all versions
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious at
9.8CRITICAL
 CVE-2021-40353
all versions
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attac
9.8CRITICAL
 CVE-2020-27409
< 7.5
OpenSIS Community Edition before 7.5 is affected by a cross-site scripting (XSS) vulnerability in SideForStudent.php via the modna
6.1MEDIUM
 CVE-2020-27408
<= 7.6
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauth
7.5HIGH
 CVE-2020-6144
all versions
A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The username variable which is set
9.8CRITICAL
 CVE-2020-6143
all versions
A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The password variable which is set
9.8CRITICAL
 CVE-2020-6142
all versions
A remote code execution vulnerability exists in the Modules.php functionality of OS4Ed openSIS 7.3. A specially crafted HTTP reque
9.8CRITICAL
 CVE-2020-6140
all versions
SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The password_stf_email parameter in t
9.8CRITICAL
 CVE-2020-6139
all versions
SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The username_stf_email parameter in t
9.8CRITICAL
 CVE-2020-6138
all versions
SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The uname parameter in the password r
9.8CRITICAL
 CVE-2020-6137
all versions
SQL injection vulnerability exists in the password reset functionality of OS4Ed openSIS 7.3. The password_stf_email parameter in t
9.8CRITICAL
 CVE-2020-6141
all versions
An exploitable SQL injection vulnerability exists in the login functionality of OS4Ed openSIS 7.3. A specially crafted HTTP reques
9.8CRITICAL
 CVE-2020-6136
all versions
An exploitable SQL injection vulnerability exists in the DownloadWindow.php functionality of OS4Ed openSIS 7.3. A specially crafte
8.8HIGH
 CVE-2020-6135
all versions
An exploitable SQL injection vulnerability exists in the Validator.php functionality of OS4Ed openSIS 7.3. A specially crafted HTT
8.8HIGH
 CVE-2020-6134
all versions
SQL injection vulnerabilities exist in the ID parameters of OS4Ed openSIS 7.3 pages. The id parameter in the page MassDropModal.ph
8.8HIGH
 CVE-2020-6133
all versions
SQL injection vulnerabilities exist in the ID parameters of OS4Ed openSIS 7.3 pages. The id parameter in the page CourseMoreInfo.p
8.8HIGH
 CVE-2020-6132
all versions
SQL injection vulnerability exists in the ID parameters of OS4Ed openSIS 7.3 pages. The id parameter in the page ChooseCP.php is v
8.8HIGH
 CVE-2020-6128
all versions
SQL injection vulnerability exists in the CoursePeriodModal.php page of OS4Ed openSIS 7.3. A specially crafted HTTP request can le
8.8HIGH
 CVE-2020-6127
all versions
SQL injection vulnerability exists in the CoursePeriodModal.php page of OS4Ed openSIS 7.3. The id parameter in the page CoursePeri
8.8HIGH
 CVE-2020-6126
all versions
SQL injection vulnerability exists in the CoursePeriodModal.php page of OS4Ed openSIS 7.3. The course_period_id parameter in the p
8.8HIGH
 CVE-2020-6125
all versions
An exploitable SQL injection vulnerability exists in the GetSchool.php functionality of OS4Ed openSIS 7.3. A specially crafted HTT
8.8HIGH
 CVE-2020-6124
all versions
An exploitable sql injection vulnerability exists in the email parameter functionality of OS4Ed openSIS 7.3. The email parameter i
8.8HIGH
 CVE-2020-6131
all versions
SQL injection vulnerabilities exist in the course_period_id parameters used in OS4Ed openSIS 7.3 pages. The course_period_id param
8.8HIGH
 CVE-2020-6130
all versions
SQL injection vulnerabilities exist in the course_period_id parameters used in OS4Ed openSIS 7.3 pages. The course_period_id param
8.8HIGH
 CVE-2020-6129
all versions
SQL injection vulnerabilities exist in the course_period_id parameters used in OS4Ed openSIS 7.3 pages. The course_period_id param
8.8HIGH
 CVE-2020-6123
all versions
An exploitable sql injection vulnerability exists in the email parameter functionality of OS4Ed openSIS 7.3. The email parameter i
8.8HIGH
 CVE-2020-6122
all versions
SQL injection vulnerability exists in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The mn parameter in the page CheckD
8.8HIGH
 CVE-2020-6121
all versions
SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The ln parameter in the page Check
8.8HIGH
 CVE-2020-6120
all versions
SQL injection vulnerability exists in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The fn parameter in the page CheckD
8.8HIGH
 CVE-2020-6119
all versions
SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The byear parameter in the page Ch
8.8HIGH
 CVE-2020-6118
all versions
SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The bmonth parameter in the page C
8.8HIGH
 CVE-2020-6117
all versions
SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. The bday parameter in the page Che
8.8HIGH
 CVE-2020-6637
all versions
openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
9.8CRITICAL
 CVE-2020-13383
<= 7.4
openSIS through 7.4 allows Directory Traversal.
7.5HIGH
 CVE-2020-13382
<= 7.4
openSIS through 7.4 has Incorrect Access Control.
9.1CRITICAL
 CVE-2020-13381
<= 7.4
openSIS through 7.4 allows SQL Injection.
9.8CRITICAL
 CVE-2020-13380
<= 7.4
openSIS before 7.4 allows SQL Injection.
9.8CRITICAL
 CVE-2014-8366
all versions
SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username
 CVE-2013-1349
all versions
Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns TAXII feed Data sources
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh