CVE-2020-6143

Name of the Vulnerable Software and Affected Versions OS4Ed openSIS version 7.4

Description A remote code execution issue exists in the install functionality. The password variable, set at line 122 in install/Step5.php, allows for injection of PHP code into the Data.php file. An attacker can send an HTTP request to the vulnerable endpoint to trigger this issue.

Recommendations For OS4Ed openSIS version 7.4, as a temporary workaround, consider restricting access to the install/Step5.php file until a patch is available. Avoid using the password variable in the affected installation process until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.