Login Sign Up

CVE-2021-27341

9.8 CRITICAL
Path Traversal

📋 TL;DR

OpenSIS Community Edition versions up to 7.6 contain a local file inclusion vulnerability in DownloadWindow.php via the 'filename' parameter. This allows attackers to read arbitrary files from the server filesystem. All users running affected versions are vulnerable.

💻 Affected Systems

Products:
  • OpenSIS Community Edition
Versions: <= 7.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with default configuration are vulnerable. The vulnerability is in the core application code.

📦 What is this software?

Opensis by Os4ed

View all CVEs affecting Opensis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like configuration files, password hashes, or database credentials, potentially leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive system files, configuration data, or user information stored on the server.

🟢

If Mitigated

Limited impact with proper file permissions and web server sandboxing, but still potential information disclosure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is simple to exploit by manipulating the filename parameter in HTTP requests to DownloadWindow.php.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit f78407d5291c686c3f416073dcb9143f3a3d5489

Vendor Advisory: https://github.com/OS4ED/openSIS-Classic/issues/158

Restart Required: No

Instructions:

1. Update to the latest version of OpenSIS Community Edition. 2. Apply the patch from commit f78407d5291c686c3f416073dcb9143f3a3d5489. 3. Verify the fix by checking that DownloadWindow.php properly validates filename parameters.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block requests containing directory traversal sequences in the filename parameter

File Permission Restriction

linux

Restrict web server user permissions to limit accessible files

chmod 600 sensitive_config_files
chown root:root sensitive_files

🧯 If You Can't Patch

  • Implement strict input validation in DownloadWindow.php to reject directory traversal sequences
  • Disable or restrict access to DownloadWindow.php if not required for functionality

🔍 How to Verify

Check if Vulnerable:

Test by accessing DownloadWindow.php with a filename parameter containing directory traversal sequences like '../../etc/passwd'

Check Version:

Check OpenSIS version in admin panel or configuration files

Verify Fix Applied:

Attempt the same test after patching - should receive error or sanitized output

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to DownloadWindow.php with suspicious filename parameters containing '../' sequences
  • Unusual file access patterns from web server process

Network Indicators:

  • HTTP GET/POST requests with filename parameter containing path traversal attempts

SIEM Query:

web.url:*DownloadWindow.php* AND (web.param.filename:*../* OR web.param.filename:*..\*)

📊 Metadata

CVE ID: CVE-2021-27341
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: September 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27341, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)