VYPR
← All advisories
High severity8.8NVD Advisory· Published Apr 2, 2026· Updated Apr 7, 2026

CVE-2026-35168

CVE-2026-35168

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
devcode-it/openstamanagerPackagist
< 2.10.22.10.2

Affected products

1

Patches

1
43970676bcd6

fix: SQL Injection via Aggiornamenti Module

https://github.com/devcode-it/openstamanagervalentinaMar 5, 2026via ghsa
commit
1 file changed · +49 5
  • modules/aggiornamenti/actions.php+49 5 modified
    @@ -64,22 +64,66 @@
             break;
         }
 
-        $debug_queries = implode('<br>', $queries);
+        // WHITELIST: Permetti solo pattern SQL sicuri
+        $allowed_patterns = [
+            '/^ALTER\s+TABLE\s+`?[\w]+`?\s+(ADD|MODIFY|CHANGE|DROP)\s+(COLUMN\s+)?`?[\w]+`?/i',
+            '/^CREATE\s+(UNIQUE\s+)?INDEX\s+`?[\w]+`?\s+ON\s+`?[\w]+`?\s*\(/i',
+            '/^DROP\s+INDEX\s+`?[\w]+`?\s+ON\s+`?[\w]+`?$/i',
+            '/^UPDATE\s+`?zz_views`?\s+SET\s+/i',
+            '/^INSERT\s+INTO\s+`?zz_\w+`?\s*\(/i',
+            '/^DELETE\s+FROM\s+`?zz_\w+`?\s+WHERE\s+/i',
+        ];
+
+        $safe_queries = [];
+        $rejected = [];
 
-        $dbo->query('SET FOREIGN_KEY_CHECKS=0');
+        foreach ($queries as $query) {
+            $is_safe = false;
+            foreach ($allowed_patterns as $pattern) {
+                if (preg_match($pattern, trim($query))) {
+                    $is_safe = true;
+                    break;
+                }
+            }
+
+            if ($is_safe) {
+                $safe_queries[] = $query;
+            } else {
+                $rejected[] = $query;
+            }
+        }
+
+        if (!empty($rejected)) {
+            echo json_encode([
+                'success' => false,
+                'message' => tr('Query non permesse rilevate. Operazione bloccata per motivi di sicurezza.'),
+                'rejected_count' => count($rejected),
+            ]);
+            break;
+        }
+
+        if (empty($safe_queries)) {
+            echo json_encode([
+                'success' => false,
+                'message' => tr('Nessuna query valida da eseguire dopo la validazione.'),
+            ]);
+            break;
+        }
+
+        $debug_queries = implode('<br>', $safe_queries);
 
         $errors = [];
         $executed = 0;
 
-        foreach ($queries as $query) {
+        foreach ($safe_queries as $query) {
             try {
                 $dbo->query($query);
                 ++$executed;
             } catch (Exception $e) {
-                $errors[] = $query.' - '.$e->getMessage();
+                // Sanifica il messaggio di errore per evitare leak di informazioni
+                $errors[] = tr('Errore durante l\'esecuzione di una query.');
             }
         }
-        $dbo->query('SET FOREIGN_KEY_CHECKS=1');
 
         if (empty($errors)) {
             $success_message = tr('Tutte le query sono state eseguite con successo (_NUM_ query).', [

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.