## https://sploitus.com/exploit?id=3CF3D3E3-5625-504A-BE8B-AFA55EA48093
# CVE-2025-69214: OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint)
## Overview
| Field | Details |
|---|---|
| **CVE ID** | CVE-2025-69214 |
| **Vulnerability Type** | SQL Injection |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Description
## Summary
A SQL Injection vulnerability exists in the `ajax_select.php` endpoint when handling the `componenti` operation. An authenticated attacker can inject malicious SQL code through the `options[matricola]` parameter.
## Proof of Concept
### Vulnerable Code
**File:** `modules/impianti/ajax/select.php:122-124`
```php
case 'componenti':
$impianti = $superselect['matricola'];
if (!empty($impianti)) {
$where[] = '`my_componenti`.`id_impianto` IN ('.$impianti.')';
}
```
### Data Flow
1. **Source:** `$_GET['options']['matricola']` โ `$superselect['matricola']`
2. **Vulnerable:** User input concatenated directly into `IN()` clause without sanitization
3. **Sink:** Query executed via AJAX framework
### Exploit
**Manual PoC (Time-based Blind SQLi):**
```http
GET /aja...
## Affected Products
- **devcode-it/openstamanager** (versions: <= 2.9.8)
## CWE Classification
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
## References
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m
- https://nvd.nist.gov/vuln/detail/CVE-2025-69214
- https://github.com/advisories/GHSA-qjv8-63xq-gq8m
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.