Compliance Impact

The vulnerability allows authenticated attackers to execute arbitrary SQL commands and extract sensitive database information via a time-based blind SQL injection. This exposure of sensitive data can lead to violations of data protection regulations such as GDPR and HIPAA, which mandate the protection of personal and health information from unauthorized access.

Because the vulnerability impacts confidentiality, integrity, and availability of data (as indicated by the CVSS score), organizations using affected versions of OpenSIPS Control Panel may face compliance risks if sensitive data is compromised or manipulated.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-36670 is a Time-Based Blind SQL Injection vulnerability in the alias_management module of the OpenSIPS Control Panel (opensips-cp) before version 9.3.3.

The vulnerability occurs because the 'table' GET parameter in alias_management.php is not properly sanitized before being concatenated into an SQL query.

Authenticated attackers can exploit this flaw to inject malicious SQL commands and execute arbitrary SQL queries on the backend database.

Traditional SQL injection methods may fail due to the use of PDO with silent error mode and template crashes, but the query executes before the crash, enabling time-based blind SQL injection to extract sensitive data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated attackers to execute arbitrary SQL commands on the backend database of the OpenSIPS Control Panel.

Exploitation can lead to unauthorized access to sensitive data, data modification, or deletion, potentially compromising the confidentiality, integrity, and availability of the system.

Given the high CVSS score of 8.8, the impact is severe and could result in significant security breaches if exploited.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the alias_management.php endpoint of the OpenSIPS Control Panel for time-based blind SQL injection via the 'table' GET parameter. Since the vulnerability requires authentication, detection involves sending crafted requests with malicious payloads in the 'table' parameter and observing response delays that indicate SQL query execution time manipulation.

A common approach is to use tools like curl or specialized SQL injection testing tools to send requests that cause a delay in the response if the injection is successful. For example, you can send a request with a payload that triggers a database sleep function and measure the response time.

• Example curl command (replace <session_cookie> and <target_url>):
• curl -i -b "session=<session_cookie>" "http://<target_url>/alias_management.php?table=users' AND IF(SLEEP(5),1,0)-- -"

If the response is delayed by approximately 5 seconds, it indicates the presence of a time-based blind SQL injection vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the OpenSIPS Control Panel to version 9.3.3 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict access to the alias_management.php module to trusted authenticated users only, and monitor for suspicious activity.

Additionally, review and harden authentication mechanisms to prevent unauthorized access, and consider implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the 'table' parameter.

Useful 0 Not Useful 0