CVEs-PoC/2020/CVE-2020-6134.md

### [CVE-2020-6134](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6134)
![](https://img.shields.io/static/v1?label=Product&message=OS4Ed&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-89%3A%20Improper%20Neutralization%20of%20Special%20Elements%20used%20in%20an%20SQL%20Command%20('SQL%20Injection')&color=brighgreen)

### Description

SQL injection vulnerabilities exist in the ID parameters of OS4Ed openSIS 7.3 pages. The id parameter in the page MassDropModal.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

### POC

#### Reference
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1077

#### Github
- https://github.com/404notf0und/CVE-Flow