CVE-2020-6134

Name of the Vulnerable Software and Affected Versions OS4Ed openSIS version 7.3

Description The issue concerns SQL injection vulnerabilities found in the ID parameters of certain pages in OS4Ed openSIS. Specifically, the id parameter in the MassDropModal.php page is vulnerable to SQL injection. An attacker can exploit this by making an authenticated HTTP request to the vulnerable endpoint, such as "/MassDropModal.php", using the vulnerable id parameter.

Recommendations For OS4Ed openSIS version 7.3, as a temporary workaround, consider restricting access to the MassDropModal.php page and avoid using the id parameter in authenticated HTTP requests until a patch is available.