CVE-2026-28805
HIGHOpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter
Title source: cnaDescription
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc
X_Refsource_Misc x_refsource_misc
https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7
X_Refsource_Misc x_refsource_misc
https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc
X_Refsource_Misc x_refsource_misc
https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
Scores
CVSS v3
8.8
EPSS
0.0046
EPSS Percentile
36.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (3)
devcode/openstamanager
< 2.10.2
devcode-it/openstamanager
0 - 2.10.2Packagist
devcode-it/openstamanager
< 2.10.2
Published
Apr 02, 2026
Tracked Since
Apr 02, 2026