CVE-2026-28805 OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the optionsstato GET parameter. The user-supplied value is read from...

CVE-2026-28805 OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the optionsstato GET parameter. The user-supplied value is read from...

CVE-2026-28805

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the optionsstato GET parameter. The user-supplied value is read from...

CVE-2026-28805

OpenSTAManager before v2.10.2 is vulnerable to Time-Based Blind SQL Injection via the options[stato] parameter in multiple AJAX endpoints (preventivi, ordini-cliente, contratti). The user-supplied value is read from $superselect['stato'] and concatenated into SQL WHERE clauses without sanitizatio...

GHSA-3GW8-3MG3-JMPC OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter

Description Multiple AJAX select handlers in OpenSTAManager = 2.10.1 are vulnerable to Time-Based Blind SQL Injection through the optionsstato GET parameter. The user-supplied value is read from $superselect'stato' and concatenated directly into SQL WHERE clauses as a bare expression, without any...

SQL Injection

Overview devcode-it/openstamanager is a management software for technical assistance and electronic invoicing Affected versions of this package are vulnerable to SQL Injection in the processing of the optionsstato parameter in multiple AJAX select handlers. An attacker can execute arbitrary SQL...

OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter

Description Multiple AJAX select handlers in OpenSTAManager = 2.10.1 are vulnerable to Time-Based Blind SQL Injection through the optionsstato GET parameter. The user-supplied value is read from $superselect'stato' and concatenated directly into SQL WHERE clauses as a bare expression, without any...