Description
A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in alias_management.php.
Published: 2026-06-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A time‑based blind SQL injection flaw in the alias_management module of OpenSIPS Control Panel (opensips‑cp) allows an attacker to inject arbitrary SQL commands through the 'table' GET parameter in alias_management.php. The vulnerability is a classic field‑injection weakness (CWE‑89) that, if exploited, could lead to unauthorized data extraction, data modification, or database disruption, thereby compromising confidentiality and integrity of the underlying database.

Affected Systems

OpenSIPS Control Panel versions preceding 9.3.3 are affected. Users running older releases that expose the alias_management module should check if the endpoint is reachable by authenticated clients and consider restricting or disabling it if possible.

Risk and Exploitability

Based on the description, it is inferred that the attacker must be authenticated and can reach the web interface of alias_management.php to exploit the vulnerability. The flaw has a CVSS score of 8.8 and an EPSS score of less than 1%. It is not listed in the CISA KEV catalog. The likely attack vector is a remote web interface, where an attacker can manipulate the 'table' parameter to trigger timing delays that confirm successful injection. Because a legitimate user credential is required, the vulnerability is limited to authenticated users, but any successful injection could be leveraged to run arbitrary SQL commands against the database.

Generated by OpenCVE AI on June 18, 2026 at 01:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSIPS Control Panel to version 9.3.3 or later to apply the vendor‑supplied fix for the SQL injection flaw.
  • If an upgrade cannot be performed immediately, block or restrict access to alias_management.php and disable or filter the 'table' GET parameter to prevent injection attempts.
  • Configure the database account used by OpenSIPS Control Panel with least‑privilege rights to reduce potential damage from any successful SQL execution.

Generated by OpenCVE AI on June 18, 2026 at 01:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensips
Opensips opensips
Vendors & Products Opensips
Opensips opensips

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Time‑Based Blind SQL Injection in OpenSIPS Control Panel's Alias Management Module

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Time‑Based Blind SQL Injection in OpenSIPS Control Panel's Alias Management Module

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in alias_management.php.
References

Subscriptions

Opensips Opensips
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T13:40:32.892Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36670

cve-icon Vulnrichment

Updated: 2026-06-16T13:40:13.527Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:26.020

Modified: 2026-06-16T15:51:54.823

Link: CVE-2026-36670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:30:16Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')