OpenSTAManager Privilege Escalation and Authentication Bypass Vulnerability

A vulnerability allowing privilege escalation and authentication bypass has been identified in OpenSTAManager versions through 2.9.8. This issue allows attackers to arbitrarily change a user's group by directly accessing 'modules/utenti/actions.php', which processes sensitive information without any authentication or authorization checks. As a result, an attacker could promote a user to the 'Amministratori' group or demote any user, including administrators.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker to gain administrator privileges for any user, potentially leading to a full compromise of the application.

Reproduction

To reproduce this vulnerability, send a POST request to 'modules/utenti/actions.php' without any authentication or cookies. Include the 'op' parameter with a value that triggers the user update action, and specify the target user's ID and the desired group assignment. The changes will be reflected in the database and the administrator panel, demonstrating the successful exploitation of the vulnerability.