SQL Injection Vulnerability in OS4Ed openSIS 7.3 Password Reset Functionality
CVE-2020-6140
9.8CRITICAL
What is CVE-2020-6140?
A SQL injection vulnerability is present in the password reset functionality of OS4Ed openSIS version 7.3. The issue lies within the password_stf_email parameter on the /opensis/ResetUserInfo.php page, where improper handling of user input allows attackers to exploit this weakness. By crafting a malicious HTTP request, an attacker could manipulate the SQL queries executed by the application, potentially compromising the integrity of the database and gaining unauthorized access to sensitive information. Ensuring proper input validation and sanitization is crucial to mitigating this risk.
Affected Version(s)
OS4Ed OS4Ed openSIS 7.3
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
CVSS V3.0
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved