Remote Code Execution Vulnerability in OS4Ed openSIS 7.4 Install Functionality

Remote Code Execution Vulnerability in OS4Ed openSIS 7.4 Install Functionality

CVE-2020-6143 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The password variable which is set at line 122 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An attacker can send an HTTP request to trigger this vulnerability.

Learn more about our Web Application Penetration Testing UK.