CVE-2020-27408

HIGH

OpenSIS CE <7.6 - Info Disclosure

Title source: llm

Description

OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.

References (2)

[Release Notes, Third Party Advisory] https://github.com/OS4ED/openSIS-Responsive-Design/releases

[Exploit, Third Party Advisory] https://insinuator.net/2020/10/opensis-vulnerabilities/

Scores

CVSS v3 7.5

EPSS 0.0118

EPSS Percentile 78.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-287 CWE-640

Status published

Products (1)

os4ed/opensis < 7.6

Published Dec 04, 2020

Tracked Since Feb 18, 2026