CVE-2025-22927

Name of the Vulnerable Software and Affected Versions OS4ED openSIS versions 8.0 through 9.1

Description The issue allows attackers to execute a directory traversal by sending a crafted POST request to "/Modules.php?modname=messaging/Inbox.php&modfunc=save&filename". This enables attackers to potentially access or modify files outside the intended directory.

Recommendations For OS4ED openSIS versions 8.0 through 9.1, consider restricting access to the "/Modules.php?modname=messaging/Inbox.php&modfunc=save&filename" endpoint until a patch is available. As a temporary workaround, avoid using the filename parameter in the affected API endpoint until the issue is resolved.