CVE-2020-6129

Name of the Vulnerable Software and Affected Versions openSIS version 7.3

Description The issue concerns SQL injection vulnerabilities in the course period id parameters used in openSIS pages, specifically in the CpSessionSet.php page. An attacker can exploit this by making an authenticated HTTP request.

Recommendations For openSIS version 7.3, consider restricting access to the CpSessionSet.php page and avoid using the course period id parameter in this page until a fix is available. As a temporary workaround, restrict the course period id parameter to minimize the risk of exploitation.