Introduction
ITFLow is an open-source application designed for MSPs that enables the management of customer documentation, accounting, and a ticket-based support system.
Issue
Two security vulnerabilities were identified in the application: an unauthenticated open redirect and an authenticated SQL injection. Both issues could be exploited to compromise user security and expose sensitive information.
Timeline
| Date | Description |
|---|---|
| 04/08/2025 | Reporting vulnerabilities through the GitHub project |
| 04/08/2025 | Response from the publisher and start of corrections |
| 05/09/2025 | Official release of the SQLi patch |
| 08/11/2025 | Official release of the open redirect patch |
| 06/01/2026 | CVE identifiers have been reserved. |
Technical details
Unauthenticated open redirect
The application uses the $_GET['last_visited'] parameter to redirect users to the page they were visiting before their session expired. This parameter is Base64-encoded and is expected to contain a relative path within the application.
if (isset($_GET['last_visited'])) {
header("Location: ".$_SERVER["REQUEST_SCHEME"] . "://" . $config_base_url . base64_decode($_GET['last_visited']) );
}
However, the last_visited parameter is fully user-controlled and insufficiently validated before being used in the redirection logic. As a result, an attacker can craft a malicious link containing a Base64-encoded external URL or path traversal sequence, causing the application to redirect users to an arbitrary external website.
This vulnerability can be exploited without authentication and may be leveraged for phishing attacks, user redirection to malicious content, or social engineering campaigns, as the redirection appears to originate from a trusted domain.
Authenticaded SQL injection / CVE-2025-67081
An authenticated SQL injection vulnerability was identified in an administrative feature related to role management. This issue allows an authenticated attacker with access to the administration panel to manipulate SQL queries and potentially leak or modify database information.
The application attempts to sanitize user input using a sanitizeInput function:
$role_id = sanitizeInput($_POST['role_id']);
However, this function is only effective when the SQL parameter is treated as a string. In the following SQL query, the role_id parameter is expected to be an integer and is therefore not enclosed in quotes
mysqli_query(
$mysqli,
"UPDATE user_roles
SET role_name = '$name',
role_description = '$description',
role_is_admin = $admin
WHERE role_id = $role_id");
Because $role_id is injected directly into the query without quotation marks, an attacker does not need to escape out of a string context. This allows direct manipulation of the SQL query logic by injecting additional SQL expressions, leading to a successful SQL injection.
This vulnerability could be exploited to read sensitive data, modify database records, or escalate privileges, depending on database permissions and application logic.
Mitigation
The SQL injection was fixed in version 25.07 and the open redirect in version 25.11. You can update your application to a higher version to protect yourself.