## https://sploitus.com/exploit?id=10423DBA-85AD-5C77-80E5-A8B9F095574B
# CVE-2025-69213: OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)
## Overview
| Field | Details |
|---|---|
| **CVE ID** | CVE-2025-69213 |
| **Vulnerability Type** | SQL Injection |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Description
## Summary
A SQL Injection vulnerability exists in the `ajax_complete.php` endpoint when handling the `get_sedi` operation. An authenticated attacker can inject malicious SQL code through the `idanagrafica` parameter, leading to unauthorized database access.
## Proof of Concept
### Vulnerable Code
**File:** `modules/anagrafiche/ajax/complete.php:28`
```php
case 'get_sedi':
$idanagrafica = get('idanagrafica');
$q = "SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione
FROM an_sedi
WHERE idanagrafica='".$idanagrafica."' ...";
$rs = $dbo->fetchArray($q);
```
### Data Flow
1. **Source:** `$_GET['idanagrafica']` โ `get('idanagrafica')`
2. **Vulnerable:** User input concatenated directly into SQL query with single quotes
3. **Sink:** `$dbo->fetchAr...
## Affected Products
- **devcode-it/openstamanager** (versions: <= 2.9.8)
## CWE Classification
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
## References
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg
- https://nvd.nist.gov/vuln/detail/CVE-2025-69213
- https://github.com/advisories/GHSA-w995-ff8h-rppg
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.