Vulnerability Details : CVE-2023-38885
OpenSIS Classic Community Edition version 9.0 lacks cross-site request forgery (CSRF) protection throughout the whole app. This may allow an attacker to trick an authenticated user into performing any kind of state changing request.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2023-38885
- cpe:2.3:a:os4ed:opensis:9.0:*:*:*:community:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-38885
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 36 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-38885
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-10-21 |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2023-38885
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2023-38885
-
https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38885
vulnerability-research/CVE-2023-38885 at main · dub-flow/vulnerability-research · GitHubVendor Advisory
-
https://www.os4ed.com/
Open Solutions for EducationProduct
-
https://github.com/OS4ED/openSIS-Classic
GitHub - OS4ED/openSIS-Classic: openSIS is a commercial grade, secure, scalable & intuitive Student Information System, School Management Software from OS4ED. Has all functionalities to run single orRelease Notes
Jump to