Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.
Published: 2026-04-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Theft
Action: Immediate Patch
AI Analysis

Impact

OpenSTAManager, an open source management platform, contains a time‑based blind SQL injection flaw in the AJAX select handlers that accept the options[stato] parameter. The value supplied by the user is directly inserted into SQL WHERE clauses without sanitization or parameterization. An attacker who can authenticate to the application can exploit this weakness to execute arbitrary SQL, thereby exfiltrating sensitive information such as usernames, password hashes, and financial records from the MySQL database.

Affected Systems

All releases of Devcode‑IT OpenSTAManager prior to version 2.10.2 are affected. The vulnerability exists in the core application and can be accessed through any AJAX route that accepts the options[stato] GET parameter. Upgrade to v2.10.2 or later resolves the issue.

Risk and Exploitability

The severity is high with a CVSS score of 8.8, yet the EPSS score is below 1%, indicating that exploitation is currently not widely seen. The vulnerability requires user authentication and web‑based interaction, suggesting an application‑layer attack vector. Although it is not included in the CISA KEV catalog, the potential for data theft makes it a priority for remediation.

Generated by OpenCVE AI on April 7, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSTAManager to version 2.10.2 or later.
  • Restrict or disable the affected AJAX endpoints if an immediate upgrade is not possible.
  • Verify that authentication is required before the vulnerable parameter can be accessed.
  • Audit database logs for signs of malicious query activity and consider implementing query monitoring or intrusion detection.

Generated by OpenCVE AI on April 7, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3gw8-3mg3-jmpc OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter
History

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Devcode
Devcode openstamanager
Vendors & Products Devcode
Devcode openstamanager
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.
Title OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Devcode Openstamanager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:31:08.958Z

Reserved: 2026-03-03T14:25:19.246Z

Link: CVE-2026-28805

cve-icon Vulnrichment

Updated: 2026-04-02T18:31:04.161Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T14:16:26.400

Modified: 2026-04-07T21:17:55.163

Link: CVE-2026-28805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:30Z

Weaknesses