OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter

Description

Summary

An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.

Details

The vulnerability is located in the retrieve() method within src/API/Manager.php.

User input from the display GET parameter is processed without proper validation. The code strips the surrounding brackets [], splits the string by commas, and then passes each resulting element directly into the selectRaw() function of the query builder.

// User input from 'display' is taken without sanitization.
$select = !empty($request['display']) ? explode(',', substr((string) $request['display'], 1, -1)) : null;

// ...

// The unsanitized input is passed directly to `selectRaw()`.
foreach ($select as $s) {
    $query->selectRaw($s);
}

Since selectRaw() is designed to execute raw SQL expressions, it executes any malicious SQL code provided in the display parameter.

PoC

  1. Log in to an OpenSTAManager instance as any user.
  2. Navigate to the user's profile page to obtain their personal API Token.
  3. Use this API token to send a specially crafted GET request to the API endpoint.

Time-Based Blind Injection Test:

Replace <your_host>, <your_token>, and <resource_name> with your actual values. anagrafiche is a valid resource.

curl "http://<your_host>/openstamanager/api?token=<your_token>&resource=anagrafiche&display=[1,SLEEP(5)]"

The server will delay its response by approximately 5 seconds, confirming the SLEEP(5) command was executed by the database.

Impact

This is a critical SQL Injection vulnerability. Any authenticated user, even those with the lowest privileges, can exploit this vulnerability to:

  • Exfiltrate all data from the database (e.g., user credentials, customer information, invoices, internal data).
  • Modify or delete data, compromising data integrity.
  • Potentially achieve further system compromise, depending on the database user's privileges and system configuration.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-11-19 21:00:37 UTC
Updated
2025-11-19 21:55:37 UTC
GitHub reviewed
2025-11-19 21:00:37 UTC
NVD published
2025-11-19

EPSS Score

Score Percentile
0.01% 1.16%

CVSS Scores

Base score Version Severity Vector
8.8 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

CWEs

CWE id Name
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Credits

  • XY20130630 (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer devcode-it/openstamanager <= 2.9.4 2.9.5

References

cvelogic Threat Intelligence