Quanhx11

#9256of 53,633
29.6Total CVSS
Vulnerabilities · 3
Critical
3
PT-2021-6948
9.8
2021-11-30
Oracle · Mysql Server · CVE-2021-41679
**Name of the Vulnerable Software and Affected Versions** openSIS version 8.0 **Description** A SQL injection issue exists when MySQL or MariaDB is used as the application database. This allows an attacker to issue SQL commands through the "opensis/modules/grades/InputFinalGrades.php" endpoint, specifically using the `period` parameter. The vulnerability can be exploited by a remote attacker to execute arbitrary SQL queries. **Recommendations** For openSIS version 8.0, consider disabling access to the "opensis/modules/grades/InputFinalGrades.php" endpoint until a patch is available, or restrict the use of the `period` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2021-6949
10
2021-11-30
Opensips · Opensis · CVE-2021-41678
**Name of the Vulnerable Software and Affected Versions** openSIS version 8.0 **Description** The issue is related to a lack of protection against SQL query structure exploitation. This can allow a remote attacker to execute arbitrary SQL commands through the "/opensis/modules/users/Staff.php" endpoint, specifically using the `staff{TITLE}` parameter. **Recommendations** For openSIS version 8.0, consider disabling the `/opensis/modules/users/Staff.php` endpoint until a patch is available to prevent exploitation through the `staff{TITLE}` parameter. Restrict access to this endpoint to minimize the risk of SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2021-6950
9.8
2021-11-30
Oracle · Mysql Server · CVE-2021-41677
**Name of the Vulnerable Software and Affected Versions** openSIS version 8.0 **Description** A SQL injection issue exists when MySQL or MariaDB is used as the application database, allowing an attacker to issue SQL commands through the "/opensis/functions/GetStuListFnc.php" endpoint using the `Grade` parameter. This can enable a remote attacker to execute arbitrary SQL queries. **Recommendations** For openSIS version 8.0, consider disabling the `/opensis/functions/GetStuListFnc.php` endpoint or restricting access to the `Grade` parameter until a patch is available.