OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid parameter at /messaging/Group.php.
The vulnerability results from the lack of proper validation and sanitization of user input data transmitted in the groupid parameter to the /messaging/Group.php endpoint. An attacker can inject malicious SQL code directly into the database query, manipulating its logic. Due to the network vector (AV:N) and lack of authentication requirements (PR:N) as well as user interaction (UI:N), the exploit can be performed remotely by any person with access to the application.
An attacker can obtain unauthorized read, modification, or deletion of data from the application's database, including personal data of students and employees. Depending on the database configuration, it may also be possible to take control of the database server.
Patches available from the vendor should be applied in accordance with the references. It is recommended to immediately monitor the vendor's repository (https://github.com/OS4ED/openSIS-Classic) for updates. Temporarily, consider restricting access to the /messaging/Group.php endpoint at the firewall or web server level.
OS4Ed openSIS in versions 7.0 to 9.1 (inclusive).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOs4ed Opensis
APPOs4Ed7.0 – 9.1
Related vulnerabilities
SQL Injection w OpenSIS via parametry student_id i TRANSFER[SCHOOL]
SQL Injection w OS4ED openSIS — parametr cp_id w module wiadomości
Path traversal w openSIS umożliwia nieautoryzowany dostęp do plików
Path traversal w openSIS — nieautoryzowany dostęp do plików przez Modules.php
SQL Injection w Os4Ed openSIS — parametr filter_id