Impact
A time‑based blind SQL injection flaw in the alias_management module of OpenSIPS Control Panel (opensips‑cp) allows an attacker to inject arbitrary SQL commands through the 'table' GET parameter in alias_management.php. The vulnerability is a classic field‑injection weakness (CWE‑89) that, if exploited, could lead to unauthorized data extraction, data modification, or database disruption, thereby compromising confidentiality and integrity of the underlying database.
Affected Systems
OpenSIPS Control Panel versions preceding 9.3.3 are affected. Users running older releases that expose the alias_management module should check if the endpoint is reachable by authenticated clients and consider restricting or disabling it if possible.
Risk and Exploitability
Based on the description, it is inferred that the attacker must be authenticated and can reach the web interface of alias_management.php to exploit the vulnerability. The flaw has a CVSS score of 8.8 and an EPSS score of less than 1%. It is not listed in the CISA KEV catalog. The likely attack vector is a remote web interface, where an attacker can manipulate the 'table' parameter to trigger timing delays that confirm successful injection. Because a legitimate user credential is required, the vulnerability is limited to authenticated users, but any successful injection could be leveraged to run arbitrary SQL commands against the database.
OpenCVE Enrichment