Yuri Kramarz and Yves Younan discovered these vulnerabilities. Blog by Jon Munshaw
Cisco Talos researchers recently discovered multiple vulnerabilities in the OpenSIS software family. OpenSIS is a student information management system for K-12 students. It is available in commercial
and open-source versions and allows schools to create schedules and track attendance, grades and transcripts. An adversary could take advantage of these bugs to carry out a range of malicious activities, including SQL injection and remote code execution.
In accordance with our coordinated disclosure policy, Cisco Talos worked with OpenSIS to ensure that these issues are resolved and that an update is available for affected customers.
Vulnerability details
OS4Ed openSIS CheckDuplicateStudent.php page SQL injection vulnerability (TALOS-2020-1072/CVE-2020-6117 through CVE-2020-6122)
Multiple exploitable SQL injection vulnerabilities exist in the CheckDuplicateStudent.php page of OS4Ed openSIS 7.3. A specially crafted HTTP request leads to SQL injection. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.
Read the complete vulnerability advisory here for additional information.
OS4Ed openSIS CheckDuplicateStudent.php page SQL injection vulnerability (TALOS-2020-1073/CVE-2020-6123/6124)
An exploitable SQL injection vulnerability exists in the email parameter functionality of OS4Ed openSIS 7.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Read t ..
Support the originator by clicking the read the rest link below.
