Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.
Published: 2026-04-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach through SQL injection
Action: Apply Patch
AI Analysis

Impact

OpenSTAManager suffers a time‑based blind SQL injection that arises from the unvalidated options[stato] GET parameter in several AJAX select handlers. The user supplied value is placed directly into a SQL WHERE clause as a bare expression, allowing an attacker to inject arbitrary SQL instructions. This enables the extraction of sensitive information such as usernames, password hashes, financial records, and any other data stored in the MySQL database. The vulnerability leverages broken input handling (CWE‑89) and can lead to a full data compromise if exploited.

Affected Systems

The issue impacts the devcode‑it OpenSTAManager application. All releases prior to version 2.10.2 are affected. The patch referenced in the commit logs and release notes of v2.10.2 resolves the injection vector by sanitizing the options[stato] input and parameterizing the SQL statement.

Risk and Exploitability

The CVSS score of 8.8 classifies this as high severity, indicating significant risk. Although EPSS information is not available, the attack path requires an authenticated session and the ability to request the vulnerable AJAX endpoint, which is typically accessible to legitimate users with access rights. The vulnerability is not listed in CISA’s KEV catalog, but the underlying data exposure risk remains substantial. The likely attack vector is a crafted AJAX request from an authenticated user's browser, potentially amplified by login privileges.

Generated by OpenCVE AI on April 2, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenSTAManager to version 2.10.2 or later, which contains the patch that sanitizes the options[stato] input and removes the injection vector.
  • Verify that the application is correctly operating with the updated version and that no legacy code paths remain exposed to the vulnerable parameter.
  • Monitor authentication logs and database query activity for any signs of unauthorized data extraction, and consider disabling or restricting the vulnerable AJAX endpoints until the patch is confirmed to be in place.

Generated by OpenCVE AI on April 2, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3gw8-3mg3-jmpc OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Devcode
Devcode openstamanager
Vendors & Products Devcode
Devcode openstamanager
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.
Title OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Devcode Openstamanager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:31:08.958Z

Reserved: 2026-03-03T14:25:19.246Z

Link: CVE-2026-28805

cve-icon Vulnrichment

Updated: 2026-04-02T18:31:04.161Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T14:16:26.400

Modified: 2026-04-03T16:10:52.680

Link: CVE-2026-28805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:11Z

Weaknesses