CRITICAL🇵🇱 Wersja polska

CVE-2025-22928

CVSS 9.8v3.1pub. 2025-04-03upd. 2025-05-02

OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the cp_id parameter at /modules/messages/Inbox.php.

🤖 AI Analysis
How it works

The vulnerability occurs in the cp_id parameter passed to the /modules/messages/Inbox.php script. User-supplied data is not properly validated or sanitized before being passed to an SQL query. An attacker can inject malicious SQL code directly over the network without requiring authentication or user interaction.

Impact

An attacker can gain unauthorized access to the application's database, read, modify or delete stored data, and depending on the database server configuration — potentially take control of the entire system.

Mitigation & patch

Apply patches available from the vendor according to the references. As additional remedial measures, it is recommended to restrict access to the application at the firewall level and monitor network traffic for anomalies in SQL queries.

Who is affected

OS4ED openSIS versions 7.0 to 9.1 (classic version of the application — openSIS-Classic)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Os4ed Opensis

    APP
    Os4Ed
    7.0 – 9.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2021-41691CRITICAL9.8PL ✓ten sam produkt

SQL Injection w OpenSIS via parametry student_id i TRANSFER[SCHOOL]

CVE-2025-22929CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Os4Ed openSIS — parametr filter_id

CVE-2025-22926CRITICAL9.8PL ✓ten sam produkt

Path traversal w openSIS umożliwia nieautoryzowany dostęp do plików

CVE-2025-22927CRITICAL9.1PL ✓ten sam produkt

Path traversal w openSIS — nieautoryzowany dostęp do plików przez Modules.php

CVE-2025-22930CRITICAL9.8PL ✓ten sam produkt

SQL injection w OS4Ed openSIS via parametr groupid w Group.php