OpenSTAManager has an SQL Injection in the Stampe Module
Description
OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publication, no known patch exists.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSTAManager 2.9.8 and prior contains a SQL injection vulnerability in the Stampe module due to unsanitized concatenation of the 'module' POST parameter into an SQL UPDATE query.
Vulnerability
Overview
CVE-2025-69215 describes a SQL injection vulnerability in the Stampe module stampe/actions.php of OpenSTAManager, an open-source management software for technical assistance and invoicing [2]. The flaw exists in the update case handler, where the module parameter from POST data is directly concatenated into an SQL UPDATE query without proper sanitization [1]. While the predefined parameter is validated with intval(), the modulemodule only an !empty() is applied to module`, which does not prevent injection [1].
Exploitation
An authenticated attacker can exploit this by sending a crafted POST request to /modules/stampe/actions.php with op=update, a non-zero predefined value, and a malicious module parameter [1]. The provided reference demonstrates error-based SQL injection using MySQL functions such as EXTRACTVERSION(), DATABASE(), and USER() via EXTRACTVALUE, UPDATEXML, or GTID_SUBSET [1]. No authentication bypass is needed; the attacker must have valid credentials to the application.
Impact
Successful exploitation allows an attacker to extract sensitive information from the database, including user credentials, business data, and other records managed by the application [2]. The vulnerability could lead to full compromise of the application's data integrity and confidentiality.
Mitigation
At the time of publication, no patch is available for this vulnerability [3]. Users are advised to apply input sanitization to the module parameter or restrict access to the affected module until a fix is released.
- SQL Injection in Stampe Module
- GitHub - devcode-it/openstamanager: OpenSTAManager è un software gestionale open-source basato su web, sviluppato in PHP con database MySQL. Serve a gestire l'assistenza tecnica e la fatturazione elettronica per piccole e medie imprese. Include moduli per la contabilità, la gestione del magazzino, le anagrafiche di clienti e fornitori, i documenti di vendita e acquisto.
- NVD - CVE-2025-69215
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devcode-it/openstamanagerPackagist | <= 2.9.8 | — |
Affected products
2- Range: <=2.9.8
- devcode-it/openstamanagerv5Range: <= 2.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-qx9p-w3vj-q24qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-69215ghsaADVISORY
- github.com/devcode-it/openstamanager/security/advisories/GHSA-qx9p-w3vj-q24qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.