An authenticated SQL injection vulnerability in OpenSIPS Control Panel allows attackers to extract sensitive database information via the alias_management module.

The alias_management module fails to properly sanitize user inputs, enabling a Time-Based Blind SQL Injection. An authenticated attacker can execute arbitrary SQL commands by manipulating parameters within this module.

With a CVSS score of 8.8, this vulnerability poses a severe risk of data breach and unauthorized database modification. Successful exploitation could lead to full database compromise, where sensitive configuration or user data is exfiltrated or manipulated, undermining the security of the entire telephony infrastructure.

Immediate Action: Update OpenSIPS Control Panel to version 9.3.3 or later immediately.

Proactive Monitoring: Enable database query logging and monitor for unusual query execution times, which are indicative of time-based injection attacks.

Compensating Controls: Use a Web Application Firewall (WAF) with SQL injection detection rules to inspect and block malicious input directed at the alias_management module.

Public Exploit Available: true

The availability of a public exploit significantly elevates the risk associated with this vulnerability. Organizations using OpenSIPS Control Panel must upgrade to version 9.3.3 immediately. Security teams should perform a forensic review of database logs to determine if unauthorized access has already occurred.