Multiple vulnerabilities in OpenSIS OS4ED
Posted date 08/10/2025
Identificador
INCIBE-2025-0551
Importance
4 - High
Affected Resources
OS4ED, version 9.1.
Description
INCIBE has coordinated the publication of seven vulnerabilities, five of high severity and two of medium severity, affecting OpenSIS from OS4ED, a student information management system. The vulnerabilities were discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- de CVE-2025-10333 a CVE-2025-10337: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
- CVE-2025-10338 y CVE-2025-10339: CVSS v4.0: 4.8 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
No solution has been reported at this time.
Detail
- SQL injection vulnerability in OpenSIS v9.1 from OS4ED. This vulnerability allows an attacker to retrieve, create, update, and delete databases. The relationship between parameters and assigned identifiers is as follows:
- CVE-2025-10333: parameters “marking_period_id”, “modfunc”, “cpv_id” in “/openSIS/Ajax.php”.
- CVE-2025-10334: parameter “str” in “/openSIS/NamesList.php”.
- CVE-2025-10335: parameter “marking_period_id” in “/openSIS/Modules.php”.
- CVE-2025-10336: parameter “id” in “/openSIS/EmailCheckOthers.php”.
- CVE-2025-10337: “course_period_id” parameter in “/openSIS/MassDropSessionSet.php”.
- Reflected Cross-Site Scripting vulnerability in OpenSIS v9.1 from OS4ED. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL. The list of parameters and assigned identifiers is as follows:
- CVE-2025-10338: “str” parameter in “/openSIS/NamesList.php”.
- CVE-2025-10339: “userid” parameter in “/openSIS/Validator.php”.
CVE
Explotación
No
References list
