CVE-2025-69214

HIGH

OpenSTAManager < 2.9.8 - Authenticated SQL Injection via ajax_select.php Componenti Operation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-69214. PoCs published by lukasz-rybak.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-69214, a SQL injection vulnerability in OpenSTAManager's `ajax_select.php` endpoint. It includes a proof of concept, vulnerable code snippets, remediation steps, and exploitation examples using SQLMap.

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter.

Exploits (1)

nomisec WRITEUP
by lukasz-rybak · poc
https://github.com/lukasz-rybak/CVE-2025-69214

This repository provides a detailed technical analysis of CVE-2025-69214, a SQL injection vulnerability in OpenSTAManager's `ajax_select.php` endpoint. It includes a proof of concept, vulnerable code snippets, remediation steps, and exploitation examples using SQLMap.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: devcode-it/openstamanager <= 2.9.8
Auth required
Prerequisites: valid session cookie · access to the `ajax_select.php` endpoint
devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.0002
EPSS Percentile 5.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
devcode/openstamanager < 2.9.8
devcode-it/openstamanager 0Packagist
Published Feb 06, 2026
Tracked Since Feb 18, 2026