Os4ed 漏洞與 CVE 列表(81)

產品(CPE): — CVE 數: 81

Os4ed 漏洞概覽

彙總 Os4ed 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。

常見弱點模式包括 SQL 注入、跨站腳本、路徑處理缺陷與CSRF,在 軟體部署與生產負載 使用場景中可能帶來 資料外洩、檔案覆寫與工作階段劫持 等風險。

相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。

漏洞分布趨勢(近 24 個月)

顯示 12081 CVE 數
«« 第一頁 « 上一頁 第 1 / 5 頁 下一頁 »
CVE 摘要 來源 最高 CVSS EPSS % 公開時間 更新時間
CVE-2026-8406 openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value. [email protected] 7.1 0.24% 2026-06-11 2026-06-17
CVE-2025-65594 OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users. [email protected] 8.1 0.25% 2025-12-09 2026-07-04
CVE-2025-26186 SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php [email protected] 8.1 0.46% 2025-07-15 2026-06-17
CVE-2021-41691 A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php. [email protected] 9.8 1.72% 2025-06-24 2026-06-17
CVE-2025-22931 An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members. [email protected] 7.5 0.39% 2025-04-03 2026-06-17
CVE-2025-22930 OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid parameter at /messaging/Group.php. [email protected] 9.8 0.46% 2025-04-03 2026-06-17
CVE-2025-22929 OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the filter_id parameter at /students/StudentFilters.php. [email protected] 9.8 0.46% 2025-04-03 2026-06-17
CVE-2025-22926 An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename. [email protected] 9.8 0.88% 2025-04-03 2026-06-17
CVE-2025-22928 OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the cp_id parameter at /modules/messages/Inbox.php. [email protected] 9.8 0.39% 2025-04-03 2026-06-17
CVE-2025-22927 An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename. [email protected] 9.1 0.75% 2025-04-03 2026-06-17
CVE-2025-22925 OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table parameter at /attendance/AttendanceCodes.php. The remote, authenticated attacker requires the admin role to successfully exploit this vulnerability. [email protected] 7.5 0.38% 2025-04-02 2026-06-17
CVE-2025-22924 OS4ED openSIS v7.0 through v9.1 contains a SQL injection vulnerability via the stu_id parameter at /modules/students/Student.php. [email protected] 8.8 0.35% 2025-04-02 2026-06-17
CVE-2025-22923 An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and delete files by sending a crafted POST request to /Modules.php?modname=users/Staff.php&removefile. [email protected] 8.8 0.82% 2025-04-02 2026-06-17
CVE-2024-51211 SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $username_stn_id parameter, which can be manipulated by an attacker to inject arbitrary SQL commands. [email protected] 9.8 2.19% 2024-11-08 2026-06-17
CVE-2024-35584 SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the lack to sanitisation. The application takes arbitrary value from "X-Forwarded-For" header and appends it to a SQL INSERT statement directly, leading to SQL Injection. [email protected] 8.8 5.70% 2024-10-15 2026-07-05
CVE-2024-46626 OS4ED openSIS-Classic v9.1 was discovered to contain a SQL injection vulnerability via a crafted payload. [email protected] 8.8 0.86% 2024-10-02 2026-06-17
CVE-2023-38885 OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request. [email protected] 8.8 0.36% 2023-11-20 2026-06-17
CVE-2023-38884 An Insecure Direct Object Reference (IDOR) vulnerability in the Community Edition version 9.0 of openSIS Classic allows an unauthenticated remote attacker to access any student's files by visiting '/assets/studentfiles/<studentId>-<filename>' [email protected] 7.5 0.88% 2023-11-20 2026-06-17
CVE-2023-38883 A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'ajax' parameter in 'ParentLookup.php'. [email protected] 6.1 0.63% 2023-11-20 2026-06-17
CVE-2023-38882 A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'include' parameter in 'ForExport.php' [email protected] 6.1 0.63% 2023-11-20 2026-06-17
«« 第一頁 « 上一頁 第 1 / 5 頁 下一頁 »
cvelogic Threat Intelligence