OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)

Vulnerability

Overview

A SQL injection vulnerability exists in the ajax_complete.php endpoint of OpenSTAManager (version 2.9.8 and prior) during the get_sedi operation [1][2]. The root cause is the direct concatenation of the idanagrafica parameter from $_GET into a SQL query without sanitization or parameterization [3]. The vulnerable code at modules/anagrafiche/ajax/complete.php:28 builds the query as: $q = "SELECT id, CONCAT_WS( ' - ', nomesede, citta ) AS descrizione FROM an_sedi WHERE idanagrafica='".$idanagrafica."' ..." and then executes it via $dbo->fetchArray($q) [3].

Exploitation

Prerequisites

The attacker must be authenticated to the application, as the endpoint requires a valid session [2][3]. No other network-level prerequisites are needed beyond web access to the vulnerable instance. The idanagrafica parameter is user-supplied via GET request, making exploitation straightforward. A proof-of-concept demonstrates time-based blind SQL injection using a SLEEP(5) payload, and tools like sqlmap can automate extraction [3].

Impact

Successful exploitation can lead to complete database exfiltration, including user credentials, customer data, and financial records [3]. The attacker may also modify the zz_users table to escalate privileges to administrator level, or alter or delete any record in the database. Under certain configurations, there is potential for remote code execution via SELECT ... INTO OUTFILE if file write permissions are enabled [3].

Mitigation

Status

At the time of publication (February 2026), no official patch or fix is available for this vulnerability [2]. The project maintainers have not released a patched version, and all branches up to version 2.9.8 remain affected [3]. Users should monitor the vendor repository for updates and apply strict input validation or a web application firewall rule to block SQL injection patterns on the ajax_complete.php endpoint.