CVE-2024-35584

Name of the Vulnerable Software and Affected Versions OpenSis Community Edition versions 8.0 through 9.1

Description The issue is related to SQL injection due to a lack of sanitization. An authenticated user can perform SQL injection because the application directly appends an arbitrary value from the X-Forwarded-For header to a SQL INSERT statement. This allows for potential manipulation of database queries.

Recommendations For OpenSis Community Edition versions 8.0 through 9.1, consider disabling the affected PHP files (Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php) until a patch is available to prevent SQL injection attacks. Restrict access to these files to minimize the risk of exploitation. Avoid using the X-Forwarded-For header in SQL statements until the issue is resolved.