OpenSTAManager versions up to 2.9.8 include a time‑based blind SQL injection in the article pricing completion handler. The vulnerability arises because the idarticolo parameter is concatenated directly into SQL statements without proper sanitization, allowing an attacker to inject arbitrary SQL commands. Through Boolean inference over timed responses, an attacker can extract sensitive database contents. This flaw is officially classified as CWE‑89 and represents a high‑severity data‑exposure risk.

The affected product is OpenSTAManager by devcode‑it. Versions 2.9.8 and earlier are vulnerable. Any deployment that uses the article pricing module in these releases is at risk, including self‑hosted installations and shared hosting environments that rely on the same codebase.

The CVSS score of 8.7 indicates high severity. The EPSS score is below 1 %, signifying a low likelihood of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog, which reduces the urgency for an immediate coordinated response. The likely attack vector is remote: an adversary can send crafted requests to the article pricing endpoint over HTTP to deliver malicious idarticolo values. Authentication or other preconditions are not described in the advisory, so the exact scope of exposure remains uncertain, but the flaw could be exploited as long as the endpoint is reachable and input is not otherwise validated.