openSIS is one of several free and open-source student information systems available to K-12 and higher education institutions. The solution is a web-based application developed and maintained by Open Solutions for Education, Inc. (www.os4ed.com).
As a result of our researches, we detected SQL Injection vulnerabilities in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER[SCHOOL]" parameters in POST request sent to /TransferredOutModal.php
As the Security For Everyone team, we regularly look for vulnerabilities in software we have chosen to find 0-days. One of the software we chose was the openSIS Student Information System web application, which serves education institutions. After deciding on the application that we are going to look for vulnerability, we performed the following steps in order:
After we detected the vulnerability, we sent two e-mails to the relevant company to discuss the vulnerability. However, although the software is kept up to date, we did not receive a response to these e-mails we sent to report the security vulnerability. If the software is updated in the future, it is highly recommended to make these updates for the security of your system.