esusalla

9 exploits Active since Apr 2025
CVE-2025-22923 WRITEUP HIGH WORKING POC
OS4ED openSIS 8.0-9.1 - Path Traversal and Arbitrary File Deletion via /Modules.php
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and delete files by sending a crafted POST request to /Modules.php?modname=users/Staff.php&removefile.
CVSS 8.8
CVE-2025-22924 WRITEUP HIGH WORKING POC
OS4ED openSIS 7.0-9.1 - SQL Injection via stu_id Parameter
OS4ED openSIS v7.0 through v9.1 contains a SQL injection vulnerability via the stu_id parameter at /modules/students/Student.php.
CVSS 8.8
CVE-2025-22925 WRITEUP HIGH WORKING POC
OS4ED openSIS 7.0-9.1 - Authenticated SQL Injection via Attendance Codes Table Parameter
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the table parameter at /attendance/AttendanceCodes.php. The remote, authenticated attacker requires the admin role to successfully exploit this vulnerability.
CVSS 7.5
CVE-2025-22926 WRITEUP CRITICAL WORKING POC
OS4ED openSIS 8.0-9.1 - Path Traversal via Crafted POST Request to /Modules.php
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
CVSS 9.8
CVE-2025-22927 WRITEUP CRITICAL WORKING POC
OS4ED openSIS 8.0-9.1 - Path Traversal via Crafted POST Request to Inbox.php
An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal by sending a crafted POST request to /Modules.php?modname=messaging/Inbox.php&modfunc=save&filename.
CVSS 9.1
CVE-2025-22928 WRITEUP CRITICAL WORKING POC
OS4ED openSIS 7.0-9.1 - SQL Injection via cp_id Parameter
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the cp_id parameter at /modules/messages/Inbox.php.
CVSS 9.8
CVE-2025-22929 WRITEUP CRITICAL WORKING POC
OS4ED openSIS 7.0-9.1 - SQL Injection via StudentFilters.php filter_id Parameter
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the filter_id parameter at /students/StudentFilters.php.
CVSS 9.8
CVE-2025-22930 WRITEUP CRITICAL WORKING POC
OS4ED openSIS 7.0-9.1 - SQL Injection via Group.php groupid Parameter
OS4ED openSIS v7.0 to v9.1 was discovered to contain a SQL injection vulnerability via the groupid parameter at /messaging/Group.php.
CVSS 9.8
CVE-2025-22931 WRITEUP HIGH WORKING POC
OS4ED openSIS 7.0-9.1 - Unauthenticated Insecure Direct Object Reference in Staff Files Component
An insecure direct object reference (IDOR) in the component /assets/stafffiles of OS4ED openSIS v7.0 to v9.1 allows unauthenticated attackers to access files uploaded by staff members.
CVSS 7.5