OS4ED/openSIS-Classic

GitHub

github.com

www.os4ed.com

Releases14

Frequency6 months 2 weeks

Last Release 7 months ago

Stars316

openSIS is a commercial grade, secure, scalable & intuitive Student Information System, School Management Software from OS4ED. Has all functionalities to run single or multiple institutions in one installation. Web based, php code, MySQL database.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-26186 ↗	Jul 15, 2025Tuesday, 15 July 2025, 17:15	8.1 HIGH	—
SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php
CVE-2021-41691 ↗	Jun 24, 2025Tuesday, 24 June 2025, 16:15	9.8 CRITICAL	—
A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php.
CVE-2025-22931 ↗	Apr 3, 2025Thursday, 3 April 2025, 14:15	7.5 HIGH	—
An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members.
CVE-2025-22930 ↗	Apr 3, 2025Thursday, 3 April 2025, 14:15	9.8 CRITICAL	—
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid parameter at /messaging/Group.php.
CVE-2025-22929 ↗	Apr 3, 2025Thursday, 3 April 2025, 14:15	9.8 CRITICAL	—
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the filter_id parameter at /students/StudentFilters.php.
CVE-2025-22926 ↗	Apr 3, 2025Thursday, 3 April 2025, 14:15	9.8 CRITICAL	—
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
CVE-2025-22928 ↗	Apr 3, 2025Thursday, 3 April 2025, 13:15	9.8 CRITICAL	—
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the cp_id parameter at /modules/messages/Inbox.php.
CVE-2025-22927 ↗	Apr 3, 2025Thursday, 3 April 2025, 13:15	9.1 CRITICAL	—
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
CVE-2025-22925 ↗	Apr 2, 2025Wednesday, 2 April 2025, 21:15	7.5 HIGH	—
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table parameter at /attendance/AttendanceCodes.php. The remote, authenticated attacker requires the admin role to successfully exploit this vulnerability.
CVE-2025-22924 ↗	Apr 2, 2025Wednesday, 2 April 2025, 21:15	8.8 HIGH	—
OS4ED openSIS v7.0 through v9.1 contains a SQL injection vulnerability via the stu_id parameter at /modules/students/Student.php.
CVE-2025-22923 ↗	Apr 2, 2025Wednesday, 2 April 2025, 21:15	8.8 HIGH	—
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and delete files by sending a crafted POST request to /Modules.php?modname=users/Staff.php&removefile.
CVE-2023-38884 ↗	Nov 20, 2023Monday, 20 November 2023, 19:15	7.5 HIGH	—
An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>'
CVE-2023-38885 ↗	Nov 20, 2023Monday, 20 November 2023, 19:15	8.8 HIGH	—
OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request.
CVE-2023-38883 ↗	Nov 20, 2023Monday, 20 November 2023, 19:15	6.1 MEDIUM	—
A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'ajax' parameter in 'ParentLookup.php'.
CVE-2023-38882 ↗	Nov 20, 2023Monday, 20 November 2023, 19:15	6.1 MEDIUM	—
A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'include' parameter in 'ForExport.php'
CVE-2023-38881 ↗	Nov 20, 2023Monday, 20 November 2023, 19:15	6.1 MEDIUM	—
A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into any of the 'calendar_id', 'school_date', 'month' or 'year' parameters in 'CalendarModal.php'.
CVE-2023-38880 ↗	Nov 20, 2023Monday, 20 November 2023, 19:15	9.8 CRITICAL	—
The Community Edition version 9.0 of OS4ED's openSIS Classic has a broken access control vulnerability in the database backup functionality. Whenever an admin generates a database backup, the backup is stored in the web root while the file name has a format of "opensisBackup<date>.sql" (e.g. "opensisBackup07-20-2023.sql"), i.e. can easily be guessed. This file can be accessed by any unauthenticated actor and contains a dump of the whole database including password hashes.
CVE-2023-38879 ↗	Nov 20, 2023Monday, 20 November 2023, 19:15	7.5 HIGH	—
The Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to read arbitrary files via a directory traversal vulnerability in the 'filename' parameter of 'DownloadWindow.php'.
CVE-2022-45962 ↗	Feb 13, 2023Monday, 13 February 2023, 21:15	6.5 MEDIUM	—
Open Solutions for Education, Inc openSIS Community Edition v8.0 and earlier is vulnerable to SQL Injection via CalendarModal.php.
CVE-2022-27041 ↗	Apr 11, 2022Monday, 11 April 2022, 14:15	7.5 HIGH	5 MEDIUM
Due to lack of protection, parameter student_id in OpenSIS Classic 8.0 /modules/eligibility/Student.php can be used to inject SQL queries to extract information from databases.
CVE-2021-40637 ↗	Mar 3, 2022Thursday, 3 March 2022, 15:15	6.1 MEDIUM	4.3 MEDIUM
OS4ED openSIS 8.0 is affected by cross-site scripting (XSS) in EmailCheckOthers.php. An attacker can inject JavaScript code to get the user's cookie and take over the working session of user.
CVE-2021-40635 ↗	Mar 3, 2022Thursday, 3 March 2022, 14:15	7.5 HIGH	5 MEDIUM
OS4ED openSIS 8.0 is affected by SQL injection in ChooseCpSearch.php, ChooseRequestSearch.php. An attacker can inject a SQL query to extract information from the database.
CVE-2021-40636 ↗	Mar 3, 2022Thursday, 3 March 2022, 14:15	7.5 HIGH	5 MEDIUM
OS4ED openSIS 8.0 is affected by SQL Injection in CheckDuplicateName.php, which can extract information from the database.
CVE-2021-41679 ↗	Nov 30, 2021Tuesday, 30 November 2021, 14:15	9.8 CRITICAL	6.8 MEDIUM
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/grades/InputFinalGrades.php, period parameter.
CVE-2021-41678 ↗	Nov 30, 2021Tuesday, 30 November 2021, 14:15	9.8 CRITICAL	6.8 MEDIUM
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/modules/users/Staff.php, staff{TITLE] parameter.
CVE-2021-41677 ↗	Nov 30, 2021Tuesday, 30 November 2021, 13:15	9.8 CRITICAL	6.8 MEDIUM
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the /opensis/functions/GetStuListFnc.php &Grade= parameter.
CVE-2021-40618 ↗	Oct 12, 2021Tuesday, 12 October 2021, 18:15	9.8 CRITICAL	7.5 HIGH
An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_CONT_PSWD parameters in HoldAddressFields.php.
CVE-2021-40617 ↗	Oct 11, 2021Monday, 11 October 2021, 19:15	9.8 CRITICAL	7.5 HIGH
An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php.
CVE-2021-40543 ↗	Oct 11, 2021Monday, 11 October 2021, 13:15	9.8 CRITICAL	7.5 HIGH
Opensis-Classic Version 8.0 is affected by a SQL injection vulnerability due to a lack of sanitization of input data at two parameters $_GET['usrid'] and $_GET['prof_id'] in the PasswordCheck.php file.
CVE-2021-40542 ↗	Oct 11, 2021Monday, 11 October 2021, 13:15	6.1 MEDIUM	4.3 MEDIUM
Opensis-Classic Version 8.0 is affected by cross-site scripting (XSS). An unauthenticated user can inject and execute JavaScript code through the link_url parameter in Ajax_url_encode.php.
CVE-2021-40309 ↗	Sep 24, 2021Friday, 24 September 2021, 16:15	8.8 HIGH	6.5 MEDIUM
A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability.
CVE-2021-40310 ↗	Sep 24, 2021Friday, 24 September 2021, 16:15	5.4 MEDIUM	3.5 LOW
OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.
CVE-2021-27340 ↗	Sep 16, 2021Thursday, 16 September 2021, 14:15	6.1 MEDIUM	4.3 MEDIUM
OpenSIS Community Edition version <= 7.6 is affected by a reflected XSS vulnerability in EmailCheck.php via the "opt" parameter.
CVE-2021-27341 ↗	Sep 16, 2021Thursday, 16 September 2021, 14:15	9.8 CRITICAL	7.5 HIGH
OpenSIS Community Edition version <= 7.6 is affected by a local file inclusion vulnerability in DownloadWindow.php via the "filename" parameter.
CVE-2021-39379 ↗	Sep 1, 2021Wednesday, 1 September 2021, 13:15	9.8 CRITICAL	7.5 HIGH
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the ResetUserInfo.php password_stn_id parameter.
CVE-2021-39378 ↗	Sep 1, 2021Wednesday, 1 September 2021, 13:15	9.8 CRITICAL	7.5 HIGH
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the NamesList.php str parameter.
CVE-2021-39377 ↗	Sep 1, 2021Wednesday, 1 September 2021, 13:15	9.8 CRITICAL	7.5 HIGH
A SQL Injection vulnerability exists in openSIS 8.0 when MySQL (MariaDB) is being used as the application database. A malicious attacker can issue SQL commands to the MySQL (MariaDB) database through the index.php username parameter.
CVE-2020-27409 ↗	Dec 4, 2020Friday, 4 December 2020, 16:15	6.1 MEDIUM	4.3 MEDIUM
OpenSIS Community Edition before 7.5 is affected by a cross-site scripting (XSS) vulnerability in SideForStudent.php via the modname parameter.
CVE-2020-27408 ↗	Dec 4, 2020Friday, 4 December 2020, 16:15	7.5 HIGH	5 MEDIUM
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.
CVE-2020-6637 ↗	Aug 24, 2020Monday, 24 August 2020, 19:15	9.8 CRITICAL	7.5 HIGH
openSIS Community Edition version 7.3 is vulnerable to SQL injection via the USERNAME parameter of index.php.
CVE-2020-13380 ↗	Jul 1, 2020Wednesday, 1 July 2020, 15:15	9.8 CRITICAL	7.5 HIGH
openSIS before 7.4 allows SQL Injection.
CVE-2020-13383 ↗	Jul 1, 2020Wednesday, 1 July 2020, 15:15	7.5 HIGH	5 MEDIUM
openSIS through 7.4 allows Directory Traversal.
CVE-2020-13382 ↗	Jul 1, 2020Wednesday, 1 July 2020, 15:15	9.1 CRITICAL	6.4 MEDIUM
openSIS through 7.4 has Incorrect Access Control.
CVE-2020-13381 ↗	Jul 1, 2020Wednesday, 1 July 2020, 15:15	9.8 CRITICAL	7.5 HIGH
openSIS through 7.4 allows SQL Injection.