GHSA-247V-7CW6-Q57V
Vulnerability from github – Published: 2026-03-03 17:43 – Updated: 2026-03-03 17:43Summary
A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
Details
modules/utenti/actions.php is reachable directly via http://<IP>:8080/modules/utenti/actions.php and processes privileged information without requiring any authentication or authorization checks on fields like idgruppo. As a result, an attacker can submit a crafted POST request that updates the targets record and assigns it to the administrator group.
The file explicitly sets:
$skip_permissions = true;
include_once __DIR__.'/../../core.php';
core.php then invokes:
Permissions::skip();
Thus, disabling any authentication and permission enforcement. As a result, this file processes operations based on the op parameter in the POST request, not only update_user. Sensitive fields like idgruppo and others can be updated without verifying anything.
PoC
A target username exists, such as "agent" with an ID of 4. No authentication or cookies are required. Send the following POST request via Burp Suite or similar:
The target's group is updated in the database.
Verify the changes in the database before and after the POST request:
Changes also visible in the administrator panel, they have been moved from the Agenti group to Amministratori.
Impact
An unauthenticated attacker can assign administrator privileges to existing users, modify group memberships, enable/disable accounts and other operations that are exposed in the file. This can lead to a full compromise of the application.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "devcode-it/openstamanager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.9.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27012"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T17:43:49Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nA privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user\u0027s group (`idgruppo`) by directly calling `modules/utenti/actions.php`. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.\n\n### Details\n`modules/utenti/actions.php` is reachable directly via `http://\u003cIP\u003e:8080/modules/utenti/actions.php` and processes privileged information without requiring any authentication or authorization checks on fields like idgruppo. As a result, an attacker can submit a crafted POST request that updates the targets record and assigns it to the administrator group.\n\nThe file explicitly sets:\n```PHP\n$skip_permissions = true;\ninclude_once __DIR__.\u0027/../../core.php\u0027;\n```\n`core.php` then invokes:\n\n```PHP\nPermissions::skip();\n```\nThus, disabling any authentication and permission enforcement. As a result, this file processes operations based on the `op` parameter in the POST request, not only `update_user`. Sensitive fields like `idgruppo` and others can be updated without verifying anything.\n\n### PoC\nA target username exists, such as \"agent\" with an ID of 4. No authentication or cookies are required. Send the following POST request via Burp Suite or similar:\n\u003cimg width=\"1094\" height=\"255\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2e8cb148-1b5d-4e5c-9c73-05ed75d64188\" /\u003e\nThe target\u0027s group is updated in the database.\nVerify the changes in the database before and after the POST request:\n\u003cimg width=\"1053\" height=\"430\" alt=\"image\" src=\"https://github.com/user-attachments/assets/49f63ca0-8a04-4dd1-b27c-69699d2ce26f\" /\u003e\nChanges also visible in the administrator panel, they have been moved from the Agenti group to Amministratori.\n\n### Impact\nAn unauthenticated attacker can assign administrator privileges to existing users, modify group memberships, enable/disable accounts and other operations that are exposed in the file. This can lead to a full compromise of the application.",
"id": "GHSA-247v-7cw6-q57v",
"modified": "2026-03-03T17:43:49Z",
"published": "2026-03-03T17:43:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-247v-7cw6-q57v"
},
{
"type": "PACKAGE",
"url": "https://github.com/devcode-it/openstamanager"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.