An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NOs4ed Opensis
APPOs4Ed8.0 – 9.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
Related vulnerabilities
CVE-2021-41691CRITICAL9.8PL ✓ten sam produkt
SQL Injection w OpenSIS via parametry student_id i TRANSFER[SCHOOL]
CVE-2025-22929CRITICAL9.8PL ✓ten sam produkt
SQL Injection w Os4Ed openSIS — parametr filter_id
CVE-2025-22926CRITICAL9.8PL ✓ten sam produkt
Path traversal w openSIS umożliwia nieautoryzowany dostęp do plików
CVE-2025-22928CRITICAL9.8PL ✓ten sam produkt
SQL Injection w OS4ED openSIS — parametr cp_id w module wiadomości
CVE-2025-22930CRITICAL9.8PL ✓ten sam produkt
SQL injection w OS4Ed openSIS via parametr groupid w Group.php