CVE-2020-27408
HIGHOpenSIS Community Edition < 7.6 - Unauthenticated Arbitrary Password Reset via ResetUserInfo.php
Title source: llmDescription
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/OS4ED/openSIS-Responsive-Design/releases
Exploit, Third Party Advisory x_refsource_misc
https://insinuator.net/2020/10/opensis-vulnerabilities/
Scores
CVSS v3
7.5
EPSS
0.0165
EPSS Percentile
73.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-287
CWE-640
Status
published
Products (1)
os4ed/opensis
< 7.6
Published
Dec 04, 2020
Tracked Since
Feb 18, 2026