A SQL injection vulnerability was discovered in OS4Ed Open Source Information System Community version 9.1. By manipulating the 'X-Forwarded-For' header parameters in a POST request to /Ajax.php, an attacker can execute malicious SQL queries.
The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system.
A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the 'student_id' and 'TRANSFER{SCHOOL]' parameters in POST request sent to /TransferredOutModal.php. If an attacker exploits this vulnerability, attacker may access private data in the database system.
OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter. An attacker can exploit this vulnerability by sending a maliciously crafted request to the vulnerable application. This will allow the attacker to execute arbitrary HTML and JavaScript code in the context of the affected application.
A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to 'Take Attendance' functionality to trigger this vulnerability.