CVE-2026-28805

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions prior to 2.10.2

Description OpenSTAManager is vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter in multiple AJAX select handlers. The user-supplied value from options[stato] is directly concatenated into SQL WHERE clauses without sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, and financial records. The affected endpoints are: /ajax select.php?op=preventivi, /ajax select.php?op=ordini-cliente, and /ajax select.php?op=contratti. The vulnerable variable is options[stato]. The issue stems from insufficient sanitization of user input by HTMLPurifier, which does not strip SQL keywords or operators. An attacker can exploit this to extract data, potentially compromising confidentiality, integrity, and availability.

Recommendations Versions prior to 2.10.2 should implement an allowlist validation for the options[stato] parameter, ensuring only permitted column names are used. Alternatively, use regex validation to strictly control the format of the input. As a supplementary measure, wrap the column name in backticks to treat it as an identifier. Audit all usages of $superselect across the codebase and validate any value used as part of a SQL expression.