Opensis Classic
Monthly
Path traversal in openSIS Classic 9.3 exposes arbitrary server files through the legacy messaging sent-mail attachment download endpoint, exploitable by any authenticated low-privilege user. The vulnerability allows crafted sequences such as directory traversal patterns to escape the intended attachment directory and retrieve sensitive server-side files. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; however, the low authentication bar and network accessibility make this a realistic internal threat.
Path traversal in openSIS Classic 9.3 exposes arbitrary server files through the legacy messaging sent-mail attachment download endpoint, exploitable by any authenticated low-privilege user. The vulnerability allows crafted sequences such as directory traversal patterns to escape the intended attachment directory and retrieve sensitive server-side files. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; however, the low authentication bar and network accessibility make this a realistic internal threat.