Code Injection in openSIS - CVE-2013-1349
Published: December 9, 2013 / Updated: September 9, 2020
Vulnerability identifier: #VU46335
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/U:Green
CVE-ID: CVE-2013-1349
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Open Solutions for Education
Affected software:
openSIS
openSIS
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Eval injection vulnerability in ajax.php in openSIS 4.5 through 5.2 allows remote attackers to execute arbitrary PHP code via the modname parameter.
How to mitigate CVE-2013-1349
Install update from vendor's website.