CVE-2021-40353
9.8 CRITICALA SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database
Published: 2021-09-01 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-89
Affected products
| Vendor | Product |
|---|---|
| os4ed | opensis |
Description
A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-40353
- [Exploit reference]https://github.com/5qu1n7/CVE-2021-40353
- [Other]https://www.opensis.com/download/english
- [Exploit reference]https://github.com/5qu1n7/CVE-2021-40353
- [Other]https://www.opensis.com/download/english
Related CVEs
Same vendor
- CVE-2021-40618 — An SQL Injection vulnerability exists in openSIS Classic 8.0 via the 1) ADDR_CONT_USRN, 2) ADDR_CONT_PSWD, 3) SECN_CONT_USRN or 4) SECN_C... (9.8 CRITICAL)
- CVE-2021-40617 — An SQL Injection vulnerability exists in openSIS Community Edition version 8.0 via ForgotPassUserName.php (9.8 CRITICAL)
- CVE-2021-40543 — Opensis-Classic Version 8.0 is affected by a SQL injection vulnerability due to a lack of sanitization of input data at two parameters $_... (9.8 CRITICAL)
- CVE-2021-40542 — Opensis-Classic Version 8.0 is affected by cross-site scripting (XSS) (6.1 MEDIUM)
- CVE-2021-40651 — OS4Ed OpenSIS Community 8.0 is vulnerable to a local file inclusion vulnerability in Modules.php (modname parameter), which can disclose ... (6.5 MEDIUM)
Same CWE
- CVE-2026-52715 — Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions (9.3 CRITICAL)
- CVE-2026-52712 — Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions (7.6 HIGH)
- CVE-2026-49772 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events C... (9.3 CRITICAL)
- CVE-2026-39581 — Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions (8.5 HIGH)
- CVE-2026-39574 — Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions (9.3 CRITICAL)