CVE-2021-39378

Name of the Vulnerable Software and Affected Versions openSIS version 8.0

Description A SQL Injection issue exists, allowing a malicious attacker to issue SQL commands to the database through the str parameter in NamesList.php. This is due to a lack of protection for the SQL query structure, enabling a remote attacker to execute arbitrary SQL queries using the NamesList.php parameter.

Recommendations For openSIS version 8.0, consider restricting access to the NamesList.php file or the str parameter to minimize the risk of exploitation until a patch is available. As a temporary workaround, disabling the use of MySQL (MariaDB) as the application database may also reduce the risk, but this should be carefully considered due to potential impacts on application functionality. At the moment, there is no information about a newer version that contains a fix for this vulnerability.