CVE-2026-36670

Vulnerability

A Time-Based Blind SQL Injection vulnerability exists in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3. The issue is caused by unsafe concatenation of the user-controlled table GET parameter into an SQL query inside alias_management.php [1]. The code uses PDO with ERRMODE_SILENT, which suppresses error output and may cause a template crash, but the SQL query is executed before the crash occurs, enabling blind exploitation [1].

Exploitation

An authenticated attacker with access to the alias_management tool can send crafted HTTP GET requests with malicious table parameter values to trigger time-based SQL injection [1]. No special network position or user interaction is required beyond a valid session. The attacker uses SLEEP() or similar time-delay functions to infer database information via response timing [1].

Impact

Successful exploitation allows extraction of arbitrary data from the backend database, leading to complete compromise of confidentiality, integrity, and availability (CVSS 8.8, CIA:H) [1]. An attacker could retrieve credentials, modify database contents, or potentially achieve further system access depending on database permissions [1].

Mitigation

Upgrade to OpenSIPS Control Panel 9.3.3 or later, which contains the fix for this vulnerability [1]. No workarounds are mentioned in the available references [1]. The vulnerability is listed with a CVSS score of 8.8 and a suggested vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [1].