OpenSTAManager, a self-hosted technical assistance and invoicing platform, contains a flaw in the file modules/utenti/actions.php that allows an unauthenticated user to modify the idgruppo field presented in the request. Because the application does not verify that the requester possesses proper administrative rights, an attacker can promote any existing account to the Amministratori group or demote a legitimate administrator. This yields full control over the system’s user hierarchy and permits unrestricted execution of privileged operations, matching CWE-306 (Authorization Bypass Through User-Controlled Key).

The vulnerability affects all installations of OpenSTAManager version 2.9.8 and earlier. The vendor, devcode-it, publishes the software under the open source license managed by the devcode-it organization. No earlier versions are listed as impacted, and no later releases are known to contain the flaw according to the advisory.

The CVSS base score of 9.8 indicates a critical risk, and the EPSS score of less than 1% suggests that widespread exploitation is unlikely but not impossible. The advisory does not list this issue in the CISA KEV catalog, indicating that currently no known active exploits are in circulation. Based on the description, it is inferred that attackers would most likely exploit the issue from a remote web context by directly requesting the vulnerable script, provided the target is publicly reachable and the application is not otherwise hardened against unrestricted file access. The lack of mandatory authentication for the endpoint presents a clear vector for unauthorized privilege escalation.