CVE-2025-22925

Name of the Vulnerable Software and Affected Versions OS4ED openSIS versions 7.0 through 9.1

Description A SQL injection vulnerability was discovered in OS4ED openSIS via the table parameter at "/attendance/AttendanceCodes.php". The remote, authenticated attacker requires the admin role to successfully exploit this vulnerability.

Recommendations For OS4ED openSIS versions 7.0 through 9.1, consider disabling access to the "/attendance/AttendanceCodes.php" endpoint until a patch is available. Restrict the table parameter to minimize the risk of exploitation. Ensure that only authorized personnel with the admin role have access to the vulnerable endpoint. At the moment, there is no information about a newer version that contains a fix for this vulnerability.