OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint)
Description
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated SQL injection in OpenSTAManager <= 2.9.8 through the options[matricola] parameter in ajax_select.php allows time-based blind exploitation for data theft.
Vulnerability
Analysis
OpenSTAManager versions 2.9.8 and earlier are vulnerable to an SQL injection in the ajax_select.php endpoint when handling the componenti operation. The root cause is that user input from the options[matricola] parameter is concatenated directly into an SQL IN() clause without any sanitization or parameterization [2][3]. This occurs in modules/impianti/ajax/select.php around line 122-124, where the injected value is placed inside backticks and parentheses but no escaping or casting is applied [3].
An attacker must be authenticated to the application to reach the vulnerable endpoint. The vector is an HTTP GET request to /ajax_select.php?op=componenti&options[matricola]=... with a valid session [3]. No special privilege beyond authentication is required. The vulnerability can be exploited using a manual time-based blind SQL injection payload, as demonstrated by the included proof-of-concept that uses SLEEP(5) to confirm injection [3]. Automated tools like sqlmap can also be used against this parameter without difficulty, using the time-based blind technique [3].
Successful exploitation allows the attacker to exfiltrate any data stored in the underlying MySQL database. This includes sensitive business information such as client records, inventory data, credentials or other confidential fields accessible via the database user's permissions. Since the injected data flows into an IN() clause, the attacker can also potentially manipulate or extract the database schema and contents over time [3].
As of the advisory date, no patched version has been released for this vulnerability. The vendor's recommended remediation is to cast the incoming matricola values to integers before using them in the SQL query, effectively preventing any non-numeric injection [3]. Users are advised to apply this fix manually or update to a future fixed release if one becomes available. The CVE has been published and the advisory is publicly available, but there is no indication that it is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devcode-it/openstamanagerPackagist | <= 2.9.8 | — |
Affected products
2- Range: <=2.9.8
- devcode-it/openstamanagerv5Range: <= 2.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-qjv8-63xq-gq8mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-69214ghsaADVISORY
- github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.