GHSA-2jm2-2p35-rp3j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2jm2-2p35-rp3j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-2jm2-2p35-rp3j/GHSA-2jm2-2p35-rp3j.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-2jm2-2p35-rp3j
- Aliases
- Published
- 2025-11-19T21:00:37Z
- Modified
- 2025-11-19T22:14:24.459283Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter
- Details
-
Summary
An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the
displayparameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.Details
The vulnerability is located in the
retrieve()method withinsrc/API/Manager.php.User input from the
displayGET parameter is processed without proper validation. The code strips the surrounding brackets[], splits the string by commas, and then passes each resulting element directly into theselectRaw()function of the query builder.// User input from 'display' is taken without sanitization. $select = !empty($request['display']) ? explode(',', substr((string) $request['display'], 1, -1)) : null; // ... // The unsanitized input is passed directly to `selectRaw()`. foreach ($select as $s) { $query->selectRaw($s); }Since
selectRaw()is designed to execute raw SQL expressions, it executes any malicious SQL code provided in thedisplayparameter.PoC
- Log in to an OpenSTAManager instance as any user.
- Navigate to the user's profile page to obtain their personal API Token.
- Use this API token to send a specially crafted GET request to the API endpoint.
Time-Based Blind Injection Test:
Replace
<your_host>,<your_token>, and<resource_name>with your actual values.anagraficheis a valid resource.curl "http://<your_host>/openstamanager/api?token=<your_token>&resource=anagrafiche&display=[1,SLEEP(5)]"The server will delay its response by approximately 5 seconds, confirming the
SLEEP(5)command was executed by the database.Impact
This is a critical SQL Injection vulnerability. Any authenticated user, even those with the lowest privileges, can exploit this vulnerability to:
- Exfiltrate all data from the database (e.g., user credentials, customer information, invoices, internal data).
- Modify or delete data, compromising data integrity.
- Potentially achieve further system compromise, depending on the database user's privileges and system configuration.
- Database specific
{ "nvd_published_at": "2025-11-19T20:15:54Z", "github_reviewed": true, "cwe_ids": [ "CWE-89" ], "severity": "HIGH", "github_reviewed_at": "2025-11-19T21:00:37Z" }- References
Affected packages
Packagist / devcode-it/openstamanager
Package
- Name
- devcode-it/openstamanager
- Purl
- pkg:composer/devcode-it/openstamanager
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.9.5