OpenSTAManager Authenticated SQL Injection Vulnerability Allowing Arbitrary SQL Execution

An authenticated SQL injection vulnerability has been identified in OpenSTAManager versions prior to 2.9.5. This vulnerability exists in the API, where user input from the 'display' parameter is not properly validated. As a result, any authenticated user can execute arbitrary SQL queries. Exploitation of this vulnerability could lead to unauthorized data access, modification, or deletion, potentially causing a full system compromise.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL queries, leading to unauthorized access, modification, or deletion of database information. This could result in a complete compromise of the affected system.

Reproduction

To reproduce this vulnerability, log in to an OpenSTAManager instance as any user. Navigate to the user's profile page to obtain the personal API token. Use this token to send a crafted GET request to the API endpoint, manipulating the 'display' parameter to include malicious SQL commands. For example, inserting a command that causes a time-based delay can confirm the execution of the injected SQL.

Remediation

Users are advised to update OpenSTAManager to version 2.9.5 or later, where this vulnerability has been patched.