PT-2019-13818 · Unknown · Open-School+1

A Guest

Published

2019-08-08

Updated

2019-08-14

CVE-2019-14754

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Open-School version 3.0 Community Edition version 2.3

Description The issue allows SQL Injection via the "index.php?r=students/students/document" endpoint, specifically the id parameter.

Recommendations For Open-School version 3.0, update to a version that fixes this issue. For Community Edition version 2.3, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the "index.php?r=students/students/document" endpoint until a patch is available. Avoid using the id parameter in the affected endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2019-14754

Affected Products

Community Edition

Open-School

PT-2019-13818 · Unknown · Open-School+1

CVE-2019-14754

Weakness Enumeration

Related Identifiers

Affected Products

References · 4