PT-2020-18944 · Os4Ed · Os4Ed Opensis

Published

2020-09-01

Updated

2022-05-31

CVE-2020-6130

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OS4Ed openSIS version 7.3

Description SQL injection vulnerabilities exist in the course period id parameters used in OS4Ed openSIS pages. The course period id parameter in the page "MassDropSessionSet.php" is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger these vulnerabilities.

Recommendations For OS4Ed openSIS version 7.3, consider restricting access to the "MassDropSessionSet.php" page and the course period id parameter to minimize the risk of exploitation. Avoid using the course period id parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2020-6130

Affected Products

Os4Ed Opensis

PT-2020-18944 · Os4Ed · Os4Ed Opensis

CVE-2020-6130

Weakness Enumeration

Related Identifiers

Affected Products

References · 4