Login Sign Up

CVE-2021-41677

9.8 CRITICAL
SQL Injection

📋 TL;DR

A SQL injection vulnerability in openSIS version 8.0 allows attackers to execute arbitrary SQL commands through the Grade parameter. This affects all openSIS 8.0 installations using MySQL or MariaDB databases. Attackers can potentially access, modify, or delete sensitive student and school data.

💻 Affected Systems

Products:
  • openSIS Classic
Versions: Version 8.0
Operating Systems: Any OS running openSIS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using MySQL or MariaDB as the database backend.

📦 What is this software?

Opensis by Os4ed

View all CVEs affecting Opensis →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via database server privilege escalation.

🟠

Likely Case

Unauthorized access to sensitive student records, grades, and personal information stored in the database.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions in place.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via web interface, making internet-facing deployments particularly vulnerable.
🏢 Internal Only: MEDIUM - Internal deployments still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in a GET parameter, making exploitation trivial with standard SQL injection tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 8.1 or later

Vendor Advisory: https://github.com/OS4ED/openSIS-Classic/issues/202

Restart Required: No

Instructions:

1. Upgrade to openSIS version 8.1 or later. 2. Apply the patch that implements proper input validation and parameterized queries for the GetStuListFnc.php endpoint.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns in the Grade parameter

Input Validation Filter

all

Add server-side validation to only accept expected values for the Grade parameter

🧯 If You Can't Patch

  • Restrict database user permissions to minimum required privileges
  • Implement network segmentation to isolate the openSIS server from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Test the /opensis/functions/GetStuListFnc.php endpoint with SQL injection payloads in the Grade parameter

Check Version:

Check openSIS version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that parameterized queries are implemented

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts following SQL injection patterns
  • Access to GetStuListFnc.php with suspicious Grade parameters

Network Indicators:

  • HTTP requests to GetStuListFnc.php containing SQL keywords in parameters
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/opensis/functions/GetStuListFnc.php" AND (param="Grade" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2021-41677
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: November 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41677, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)