CVE-2025-69213
📋 TL;DR
OpenSTAManager versions 2.9.8 and earlier contain a SQL injection vulnerability in the ajax_complete.php endpoint. Authenticated attackers can execute arbitrary SQL commands through the idanagrafica parameter, potentially accessing or modifying database contents. Organizations using vulnerable OpenSTAManager installations for technical assistance and invoicing are affected.
💻 Affected Systems
- OpenSTAManager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of sensitive customer data, financial records, and credentials; potential for data destruction or ransomware deployment.
Likely Case
Unauthorized access to database tables containing customer information, service records, and potentially authentication data.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented; database access restricted by least privilege principles.
🎯 Exploit Status
Exploitation requires authenticated access; SQL injection through GET/POST parameters is typically straightforward for attackers with basic SQL knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg
Restart Required: No
Instructions:
No official patch exists. Monitor the GitHub advisory for updates. Consider implementing workarounds or migrating to alternative software if patching is delayed.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation to ensure idanagrafica parameter contains only expected data types (integers).
Modify ajax_complete.php to validate: if(!is_numeric($_GET['idanagrafica'])) { die('Invalid input'); }
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block SQL injection patterns targeting the ajax_complete.php endpoint.
Add WAF rule: Block requests to */ajax_complete.php* containing SQL keywords in parameters
🧯 If You Can't Patch
- Isolate the OpenSTAManager instance from the internet and restrict network access to authorized users only.
- Implement database-level controls: Use least privilege database accounts, enable logging of all database queries, and regularly audit for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if OpenSTAManager version is 2.9.8 or earlier by examining version files or admin interface. Test the ajax_complete.php endpoint with SQL injection payloads in a controlled environment.Check Version:
Check the version in the admin panel or examine files like VERSION.txt, CHANGELOG.md, or composer.jsonVerify Fix Applied:
After implementing workarounds, test with SQL injection payloads to confirm they are blocked. Verify input validation rejects non-numeric idanagrafica values.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries from web application user, especially containing UNION, SELECT, INSERT, or DROP statements
- Multiple failed login attempts followed by successful authentication and SQL injection patterns
Network Indicators:
- HTTP requests to /ajax_complete.php with SQL keywords in parameters
- Unusual database traffic patterns from web server
SIEM Query:
source="web_logs" AND url="*ajax_complete.php*" AND (param="*UNION*" OR param="*SELECT*" OR param="*INSERT*" OR param="*DROP*")