Unauthenticated privilege escalation in OpenSTAManager via modules/utenti/actions.php
Description
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSTAManager 2.9.8 and earlier have an unauthenticated privilege escalation via direct POST requests to modules/utenti/actions.php, allowing arbitrary group changes.
Vulnerability
Overview
A privilege escalation and authentication bypass vulnerability exists in OpenSTAManager versions 2.9.8 and earlier. The file modules/utenti/actions.php can be directly accessed without any authentication or authorization checks. The code explicitly sets $skip_permissions = true; and includes core.php, which disables all permission enforcement [2]. This allows an attacker to craft POST requests to modify user groups, including promoting an existing user to the 'Amministratori' (administrator) group.
Attack
Vector
The vulnerability is exploitable remotely by any unauthenticated attacker who can reach the OpenSTAManager instance. No authentication or cookies are required. The attacker sends a crafted POST request to the vulnerable endpoint with parameters such as idgruppo and op (operation). The advisory provides a proof-of-concept where a user named 'agent' with ID 4 can be promoted to the administrator group without any valid session [2].
Impact
Successful exploitation allows an attacker to assign administrator privileges to existing users, modify group memberships, enable or disable accounts, and perform other sensitive operations exposed in modules/utenti/actions.php. This can lead to complete compromise of the application, as an attacker can gain full administrative control over the management software [2].
Mitigation
As of the advisory publication, no patch has been released. Users should upgrade to a fixed version once available. In the meantime, administrators should restrict network access to the OpenSTAManager instance and monitor for unauthorized requests to modules/utenti/actions.php. The open source repository is available at [1] for tracking updates.
- GitHub - devcode-it/openstamanager: OpenSTAManager è un software gestionale open-source basato su web, sviluppato in PHP con database MySQL. Serve a gestire l'assistenza tecnica e la fatturazione elettronica per piccole e medie imprese. Include moduli per la contabilità, la gestione del magazzino, le anagrafiche di clienti e fornitori, i documenti di vendita e acquisto.
- Unauthenticated privilege escalation in OpenSTAManager via modules/utenti/actions.php
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devcode-it/openstamanagerPackagist | <= 2.9.8 | — |
Affected products
2- Range: <= 2.9.8
- devcode-it/openstamanagerv5Range: <= 2.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/advisories/GHSA-247v-7cw6-q57vghsaADVISORY
- github.com/devcode-it/openstamanager/security/advisories/GHSA-247v-7cw6-q57vghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.