CVE-2020-6143

Summary

A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The password variable which is set at line 122 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An attacker can send an HTTP request to trigger this vulnerability.

Affected Software

VendorProductVersion RangeStatus
n/aOS4EdOS4Ed openSIS 7.4affected

Weaknesses

  • CWE-96: CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

ADP Enrichment

CVE Program Container

Additional References

References