8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65103

CVE-2025-65103: OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter

Summary

An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.

Details

The vulnerability is located in the retrieve() method within src/API/Manager.php.

User input from the display GET parameter is processed without proper validation. The code strips the surrounding brackets [], splits the string by commas, and then passes each resulting element directly into the selectRaw() function of the query builder.

// User input from 'display' is taken without sanitization.
$select = !empty($request['display']) ? explode(',', substr((string) $request['display'], 1, -1)) : null;

// ...

// The unsanitized input is passed directly to `selectRaw()`.
foreach ($select as $s) {
    $query->selectRaw($s);
}

Since selectRaw() is designed to execute raw SQL expressions, it executes any malicious SQL code provided in the display parameter.

PoC

Log in to an OpenSTAManager instance as any user.
Navigate to the user's profile page to obtain their personal API Token.
Use this API token to send a specially crafted GET request to the API endpoint.

Time-Based Blind Injection Test:

Replace <your_host>, <your_token>, and <resource_name> with your actual values. anagrafiche is a valid resource.

curl "http://<your_host>/openstamanager/api?token=<your_token>&resource=anagrafiche&display=[1,SLEEP(5)]"

The server will delay its response by approximately 5 seconds, confirming the SLEEP(5) command was executed by the database.

Impact

This is a critical SQL Injection vulnerability. Any authenticated user, even those with the lowest privileges, can exploit this vulnerability to:

Exfiltrate all data from the database (e.g., user credentials, customer information, invoices, internal data).
Modify or delete data, compromising data integrity.
Potentially achieve further system compromise, depending on the database user's privileges and system configuration.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65103

CVE-2025-65103:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
devcode-it/openstamanager	composer	<= 2.9.4	2.9.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists within the retrieve method of the Manager class, located in src/API/Manager.php. The core issue is that user-controlled input from the display parameter is used to construct a raw SQL query via selectRaw() without proper sanitization. An attacker can provide malicious SQL expressions within the display parameter, which the database will then execute. The provided patch addresses this by introducing a validation step. It retrieves the legitimate column names for the target table and filters the input from the display parameter against this allow-list using array_intersect. This ensures that only valid column names are included in the SELECT clause, effectively neutralizing the SQL injection vector. The commit message 'fix: sanitized variables from apis to prevent sql injection' and the code changes directly confirm this analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65103: OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter

Summary

Details

PoC

Impact

CVE-2025-65103:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-65103: OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter

Summary

Details

PoC

Impact

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.8

8.8

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI