Remote Code Execution Vulnerability in OS4Ed openSIS 7.4
CVE-2020-6143

10CRITICAL

Key Information:

Vendor

Os4ed

Status
Os4ed
Vendor
CVE Published:
1 September 2020

What is CVE-2020-6143?

A remote code execution vulnerability exists within the install functionality of OS4Ed openSIS 7.4. This issue arises because the password variable, defined in install/Step5.php, is susceptible to PHP code injection, which can potentially compromise the integrity of the Data.php file during the installation process. By crafting a malicious HTTP request, an attacker can exploit this vulnerability to execute arbitrary PHP code on the server, creating serious security risks for the application and its data.

Affected Version(s)

OS4Ed OS4Ed openSIS 7.4

References

https://talosintelligence.com/vulnerability_reports/TALOS...
x_refsource_MISC

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

CVSS V3.0

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.