Runprogram

**Name of the Vulnerable Software and Affected Versions** OpenSTAManager versions 2.9.8 and earlier **Description** OpenSTAManager is a management software for technical assistance and invoicing. A privilege escalation and authentication bypass exists in versions 2.9.8 and earlier, allowing an attacker to arbitrarily change a user's group (`idgruppo`) by directly calling the `modules/utenti/actions.php` endpoint. This can promote an existing account, such as an agent, to the Amministratori group, or demote any user, including existing administrators. **Recommendations** Versions prior to 2.9.8 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.