Description
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.
Published: 2026-02-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Time-Based Blind SQL Injection
Action: Immediate Patch
AI Analysis

Impact

OpenSTAManager v2.9.8 and earlier allow attackers to inject arbitrary SQL into the global search functionality because the term parameter is not sanitized before being used in LIKE clauses. This Time-Based Blind SQL Injection lets attackers perform Boolean inference to extract sensitive data from the database. The main impact is the potential disclosure of confidential information.

Affected Systems

The vulnerability affects the devcode-it OpenSTAManager product for versions 2.9.8 and all earlier releases. Users running those versions on any supported platform are susceptible.

Risk and Exploitability

The CVSS score of 8.7 signifies a high severity, but the EPSS score is under 1%, indicating low current exploitation likelihood. The vulnerability is not included in CISA's KEV catalog. Attacks would target the web application’s search feature and typically require the attacker to be authenticated or to have access to the search interface. Because the payload is delivered via HTTP requests, the attack vector is network-based and could be performed remotely.

Generated by OpenCVE AI on April 17, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSTAManager to at least version 2.9.9 or later
  • Implement input sanitization for the 'term' parameter in all global search handlers
  • Disable the global search feature or restrict access until the issue is resolved

Generated by OpenCVE AI on April 17, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4hc4-8599-xh2h OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service
History

Mon, 09 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Devcode
Devcode openstamanager
Vendors & Products Devcode
Devcode openstamanager

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.
Title OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Devcode Openstamanager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T18:57:15.495Z

Reserved: 2026-01-22T18:19:49.175Z

Link: CVE-2026-24417

cve-icon Vulnrichment

Updated: 2026-02-06T18:55:47.958Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T19:16:08.973

Modified: 2026-02-09T21:43:49.913

Link: CVE-2026-24417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses