OpenSTAManager has an SQL Injection in Scadenzario Print Template
Description
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability exists in templates/scadenzario/init.php, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization. The vulnerability enables complete database read access through error-based SQL injection techniques.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SQL injection in OpenSTAManager's Scadenzario print template allows any user to extract sensitive database contents.
Vulnerability
Overview
An authenticated SQL injection vulnerability exists in OpenSTAManager versions 2.9.8 and earlier within the Scadenzario (Payment Schedule) print template. The flaw resides in templates/scadenzario/init.php, where the id_anagrafica parameter from GET/POST requests is directly concatenated into an SQL query without sanitization [1][3]. This allows any authenticated user to manipulate the query via error-based SQL injection.
Exploitation
The vulnerable endpoint is /pdfgen.php?ptype=scadenzario&id_anagrafica=[payload]. An attacker with a valid session can inject SQL commands through the id_anagrafica parameter. The application's get() function does not sanitize input, and the code fails to use the prepare() function for safe query construction [3]. A proof-of-concept shows that even a basic syntax error test can confirm injection, and error-based techniques can be used to extract database version and other data [3].
Impact
Successful exploitation grants complete read access to the underlying MySQL database. An attacker can extract admin credentials, customer information, and financial records, compromising the entire application's confidentiality [2][3].
Mitigation
As of the publication date, no official patch has been released. Users should upgrade to a patched version if one becomes available, or apply input validation and parameterized queries as a workaround. The vulnerability affects all authenticated users, regardless of role.
- GitHub - devcode-it/openstamanager: OpenSTAManager è un software gestionale open-source basato su web, sviluppato in PHP con database MySQL. Serve a gestire l'assistenza tecnica e la fatturazione elettronica per piccole e medie imprese. Include moduli per la contabilità, la gestione del magazzino, le anagrafiche di clienti e fornitori, i documenti di vendita e acquisto.
- NVD - CVE-2025-69216
- SQL Injection in Scadenzario Print Template
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devcode-it/openstamanagerPackagist | <= 2.9.8 | — |
Affected products
1- devcode-it/openstamanagerv5Range: <= 2.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-q6g3-fv43-m2w6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-69216ghsaADVISORY
- github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.