CVE-2021-40353

CRITICAL

openSIS 8.0 - SQL Injection via index.php USERNAME Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-40353. PoCs published by 5qu1n7.

AI-analyzed exploit summary This repository contains a writeup detailing a SQL injection vulnerability in openSIS 8.0 via the USERNAME parameter in index.php. It includes error-based and time-based injection examples, along with sqlmap output confirming exploitability.

Description

A SQL injection vulnerability exists in version 8.0 of openSIS when MySQL or MariaDB is used as the application database. An attacker can then issue the SQL command through the index.php USERNAME parameter. NOTE: this issue may exist because of an incomplete fix for CVE-2020-6637.

Exploits (1)

nomisec WRITEUP 5 stars

by 5qu1n7 · poc

https://github.com/5qu1n7/CVE-2021-40353

View Code ZIP pw:eip

This repository contains a writeup detailing a SQL injection vulnerability in openSIS 8.0 via the USERNAME parameter in index.php. It includes error-based and time-based injection examples, along with sqlmap output confirming exploitability.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: openSIS 8.0

No auth needed

Prerequisites: Access to the login page of openSIS 8.0 · MySQL or MariaDB as the backend database

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product x_refsource_misc

https://www.opensis.com/download/english

Exploit, Third Party Advisory x_refsource_misc

https://github.com/5qu1n7/CVE-2021-40353

Scores

CVSS v3 9.8

EPSS 0.0283

EPSS Percentile 84.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

os4ed/opensis 8.0

Published Sep 01, 2021

Tracked Since Feb 18, 2026