CRITICAL🇵🇱 Wersja polska

CVE-2020-6143

CVSS 9.8v3.1pub. 2020-09-01upd. 2024-11-21

A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The password variable which is set at line 122 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An attacker can send an HTTP request to trigger this vulnerability.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Os4ed Opensis

    APP
    Os4Ed
    7.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2021-41691CRITICAL9.8PL ✓ten sam produkt

SQL Injection w OpenSIS via parametry student_id i TRANSFER[SCHOOL]

CVE-2025-22928CRITICAL9.8PL ✓ten sam produkt

SQL Injection w OS4ED openSIS — parametr cp_id w module wiadomości

CVE-2025-22926CRITICAL9.8PL ✓ten sam produkt

Path traversal w openSIS umożliwia nieautoryzowany dostęp do plików

CVE-2025-22927CRITICAL9.1PL ✓ten sam produkt

Path traversal w openSIS — nieautoryzowany dostęp do plików przez Modules.php

CVE-2025-22929CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Os4Ed openSIS — parametr filter_id