SB2020090116 - Multiple vulnerabilities in OS4Ed openSIS
Published: September 1, 2020 Updated: September 2, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 30 secuirty vulnerabilities.
1) SQL injection (CVE-ID: CVE-2020-6129)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "course_period_id" parameter in "CpSessionSet.php" page. A remote authenticated attacker can send a specially crafted HTTP request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
2) SQL injection (CVE-ID: CVE-2020-6130)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "course_period_id" parameter in "MassDropSessionSet.php" page. A remote authenticated attacker can send a specially crafted HTTP request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
3) SQL injection (CVE-ID: CVE-2020-6131)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "coure_period_id" parameter in "MassScheduleSessionSet.php" page. A remote authenticated attacker can send a specially crafted HTTP request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
4) Code Injection (CVE-ID: CVE-2020-6144)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the username variable in "install/Step5.php". A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Code Injection (CVE-ID: CVE-2020-6143)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the password variable in "install/Step5.php". A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) SQL injection (CVE-ID: CVE-2020-6125)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "u" parameter in "GetSchool.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
7) SQL injection (CVE-ID: CVE-2020-6136)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "down_id" parameter in the download page "DownloadWindow.php". A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
8) SQL injection (CVE-ID: CVE-2020-6140)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "password_stf_email" parameter in the password reset page "/opensis/ResetUserInfo.php". A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
9) SQL injection (CVE-ID: CVE-2020-6139)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "username_stf_email" parameter in the password reset page "/opensis/ResetUserInfo.php". A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
10) SQL injection (CVE-ID: CVE-2020-6138)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "uname" parameter in the password reset page "/opensis/ResetUserInfo.php". A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
11) SQL injection (CVE-ID: CVE-2020-6137)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "password_stf_email" parameter in the password reset page "/opensis/ResetUserInfo.php". A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
12) SQL injection (CVE-ID: CVE-2020-6134)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "id" parameter in "MassDropModal.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
13) SQL injection (CVE-ID: CVE-2020-6133)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "id" parameter in "CourseMoreInfo.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
14) SQL injection (CVE-ID: CVE-2020-6132)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "id" parameter in "ChooseCP.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
15) SQL injection (CVE-ID: CVE-2020-6128)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "meet_date" parameter in "CoursePeriodModal.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
16) SQL injection (CVE-ID: CVE-2020-6127)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "id" parameter in "CoursePeriodModal.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
17) SQL injection (CVE-ID: CVE-2020-6126)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "course_period_id" parameter in "CoursePeriodModal.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
18) SQL injection (CVE-ID: CVE-2020-6141)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "USERNAME" parameter in "/opensis/index.php" page. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
19) SQL injection (CVE-ID: CVE-2020-6122)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "mn" parameter in "CheckDuplicateStudent.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
20) SQL injection (CVE-ID: CVE-2020-6121)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "ln" parameter in "CheckDuplicateStudent.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
21) SQL injection (CVE-ID: CVE-2020-6120)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "fn" parameter in "CheckDuplicateStudent.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
22) SQL injection (CVE-ID: CVE-2020-6119)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "byear" parameter in "CheckDuplicateStudent.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
23) SQL injection (CVE-ID: CVE-2020-6118)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "bmonth" parameter in "CheckDuplicateStudent.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
24) SQL injection (CVE-ID: CVE-2020-6117)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "bday" parameter in "CheckDuplicateStudent.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
25) SQL injection (CVE-ID: CVE-2020-6135)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "stfid" parameter in "Validator.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
26) SQL injection (CVE-ID: CVE-2020-6124)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "email" parameter in "EmailCheckOthers.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
27) SQL injection (CVE-ID: CVE-2020-6123)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "email" parameter in "EmailCheck.php" page. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
28) Path traversal (CVE-ID: CVE-2020-6142)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in the "Modules.php" functionality. A remote authenticated attacker can send a specially crafted HTTP request and read arbitrary files on the system, leading to remote code execution.
29) SQL injection (CVE-ID: CVE-2020-6637)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "USERNAME" parameter of index.php. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
30) SQL injection (CVE-ID: CVE-2020-13380)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Remediation
Install update from vendor's website.
References
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1076
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1083
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1074
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1079
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1080
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1075
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1077
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1081
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1072
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1078
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1073
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1082
- https://cinzinga.com/CVE-2020-6637/
- https://github.com/OS4ED/openSIS-Responsive-Design/commit/1127ae0bb7c3a2883febeabc6b71ad8d73510de8
- https://opensis.com/
- https://sourceforge.net/projects/opensis-ce/files/
- https://packetstormsecurity.com/files/158257/openSIS-7.4-SQL-Injection.html