OpenSTAManager has an SQL Injection vulnerability in the Scadenzario bulk operations module

OpenSTAManager, an open-source management software for technical assistance and invoicing [1], is vulnerable to a critical error-based SQL injection in version 2.9.8 and earlier. The vulnerability resides in the bulk operations handler of the Scadenzario (Payment Schedule) module, where the application fails to validate that elements of the id_records POST array are integers before using them in an SQL IN() clause [2]. The array_clean() function only removes empty values and does not enforce type checking, allowing arbitrary SQL payloads to pass through [3].

Exploitation requires authentication and access to the /actions.php?id_module=18 endpoint, which processes bulk operations for the Scadenzario module [3]. An attacker can inject SQL commands via the id_records[] POST parameter, taking advantage of the fact that the vulnerable code directly concatenates array elements into the query string without parameterization or type validation [3].

The impact is severe: an attacker can leverage XPATH error messages to extract entire database contents, including user credentials, customer personally identifiable information (PII), and financial records [2][3]. This could lead to complete compromise of the application's data confidentiality and integrity.

As of publication, no official patched version has been released; the vendor has not provided a fix [3]. Users are advised to restrict access to the vulnerable endpoint, implement strict input validation, or consider migrating to an alternative solution if the application is no longer supported.