GHSA-2JM2-2P35-RP3J

Vulnerability from github – Published: 2025-11-19 21:00 – Updated: 2025-11-19 21:55
VLAI?
Summary
OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter
Details

Summary

An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.

Details

The vulnerability is located in the retrieve() method within src/API/Manager.php.

User input from the display GET parameter is processed without proper validation. The code strips the surrounding brackets [], splits the string by commas, and then passes each resulting element directly into the selectRaw() function of the query builder.

// User input from 'display' is taken without sanitization.
$select = !empty($request['display']) ? explode(',', substr((string) $request['display'], 1, -1)) : null;

// ...

// The unsanitized input is passed directly to `selectRaw()`.
foreach ($select as $s) {
    $query->selectRaw($s);
}

Since selectRaw() is designed to execute raw SQL expressions, it executes any malicious SQL code provided in the display parameter.

PoC

  1. Log in to an OpenSTAManager instance as any user.
  2. Navigate to the user's profile page to obtain their personal API Token.
  3. Use this API token to send a specially crafted GET request to the API endpoint.

Time-Based Blind Injection Test:

Replace <your_host>, <your_token>, and <resource_name> with your actual values. anagrafiche is a valid resource.

curl "http://<your_host>/openstamanager/api?token=<your_token>&resource=anagrafiche&display=[1,SLEEP(5)]"

The server will delay its response by approximately 5 seconds, confirming the SLEEP(5) command was executed by the database.

Impact

This is a critical SQL Injection vulnerability. Any authenticated user, even those with the lowest privileges, can exploit this vulnerability to:

  • Exfiltrate all data from the database (e.g., user credentials, customer information, invoices, internal data).
  • Modify or delete data, compromising data integrity.
  • Potentially achieve further system compromise, depending on the database user's privileges and system configuration.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.9.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "devcode-it/openstamanager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-19T21:00:37Z",
    "nvd_published_at": "2025-11-19T20:15:54Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the `display` parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.\n\n### Details\nThe vulnerability is located in the `retrieve()` method within `src/API/Manager.php`.\n\nUser input from the `display` GET parameter is processed without proper validation. The code strips the surrounding brackets `[]`, splits the string by commas, and then passes each resulting element directly into the `selectRaw()` function of the query builder.\n\n```php\n// User input from \u0027display\u0027 is taken without sanitization.\n$select = !empty($request[\u0027display\u0027]) ? explode(\u0027,\u0027, substr((string) $request[\u0027display\u0027], 1, -1)) : null;\n\n// ...\n\n// The unsanitized input is passed directly to `selectRaw()`.\nforeach ($select as $s) {\n    $query-\u003eselectRaw($s);\n}\n```\n\nSince `selectRaw()` is designed to execute raw SQL expressions, it executes any malicious SQL code provided in the `display` parameter.\n\n### PoC\n1.  Log in to an OpenSTAManager instance as any user.\n2.  Navigate to the user\u0027s profile page to obtain their personal API Token.\n3.  Use this API token to send a specially crafted GET request to the API endpoint.\n\n**Time-Based Blind Injection Test:**\n\nReplace `\u003cyour_host\u003e`, `\u003cyour_token\u003e`, and `\u003cresource_name\u003e` with your actual values. `anagrafiche` is a valid resource.\n\n```bash\ncurl \"http://\u003cyour_host\u003e/openstamanager/api?token=\u003cyour_token\u003e\u0026resource=anagrafiche\u0026display=[1,SLEEP(5)]\"\n```\n\nThe server will delay its response by approximately 5 seconds, confirming the `SLEEP(5)` command was executed by the database.\n\n### Impact\nThis is a critical SQL Injection vulnerability. Any authenticated user, even those with the lowest privileges, can exploit this vulnerability to:\n\n*   **Exfiltrate all data** from the database (e.g., user credentials, customer information, invoices, internal data).\n*   **Modify or delete data**, compromising data integrity.\n*   Potentially achieve further system compromise, depending on the database user\u0027s privileges and system configuration.",
  "id": "GHSA-2jm2-2p35-rp3j",
  "modified": "2025-11-19T21:55:33Z",
  "published": "2025-11-19T21:00:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65103"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devcode-it/openstamanager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenSTAManager has Authenticated SQL Injection in API via \u0027display\u0027 parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.