CVE-2025-69213

HIGH

OpenSTAManager <= 2.9.8 - Authenticated SQL Injection via idanagrafica Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-69213. PoCs published by lukasz-rybak.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-69213, a SQL injection vulnerability in OpenSTAManager's `ajax_complete.php` endpoint. It includes a proof of concept, vulnerable code snippets, and remediation guidance.

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists.

Exploits (1)

nomisec WRITEUP
by lukasz-rybak · poc
https://github.com/lukasz-rybak/CVE-2025-69213

This repository provides a detailed technical analysis of CVE-2025-69213, a SQL injection vulnerability in OpenSTAManager's `ajax_complete.php` endpoint. It includes a proof of concept, vulnerable code snippets, and remediation guidance.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: devcode-it/openstamanager <= 2.9.8
Auth required
Prerequisites: valid session cookie · access to the `get_sedi` endpoint
devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 8.8
EPSS 0.0006
EPSS Percentile 18.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
devcode/openstamanager < 2.9.8
devcode-it/openstamanager 0Packagist
Published Feb 04, 2026
Tracked Since Feb 18, 2026