CVE-2025-69216

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions 2.9.8 and earlier

Description OpenSTAManager is susceptible to an authenticated SQL injection issue within the Scadenzario (Payment Schedule) print template. Any authenticated user can exploit this to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability resides in the templates/scadenzario/init.php file, specifically where the id anagrafica parameter is directly incorporated into an SQL query without adequate sanitization. This allows for complete database read access through error-based SQL injection techniques. The vulnerable API endpoint is /pdfgen.php?ptype=scadenzario&id anagrafica=[INJECTION PAYLOAD]. The vulnerable parameter is id anagrafica.

Recommendations Versions prior to 2.9.8 are vulnerable.