CVE-2023-38878

DevCode OpenSTAManager is affected by a reflected XSS in versions 2.4.24–2.4.47. The vulnerability arises from injecting malicious payloads into the error and error_description parameters of oauth2.php, allowing a remote attacker to execute JavaScript in a victim’s browser. Public documents do no...

CVE-2026-29782

OpenSTAManager CVE-2026-29782 describes an unauthenticated deserialization vulnerability in the OAuth2 flow. The oauth2.php endpoint reads and deserializes the access_token field from zz_oauth2 without class restrictions, enabling an attacker who can modify the database (e.g., via another vulnera...

CVE-2026-38751

CVE-2026-38751 affects OpenSTAManager versions prior to 2.11 (2.10 and earlier) and is an arbitrary file upload vulnerability in the module update endpoint (modules/aggiornamenti/upload_modules.php). The Red Hat/NVD/CVE records, along with PT-Security and CVE enrichment sources, confirm a vulnera...

CVE-2026-27012

OpenSTAManager CVE-2026-27012 affects 2.9.8 and earlier, enabling unauthenticated privilege escalation via modules/utenti/actions.php. An attacker can call the PHP endpoint to arbitrarily change a user’s group (idgruppo), promoting a normal account (e.g., agent) to Amministratori or demoting admi...

CVE-2026-28805

OpenSTAManager before v2.10.2 is vulnerable to Time-Based Blind SQL Injection via the options[stato] parameter in multiple AJAX endpoints (preventivi, ordini-cliente, contratti). The user-supplied value is read from $superselect['stato'] and concatenated into SQL WHERE clauses without sanitizatio...

CVE-2025-69214

OpenSTAManager (versions 2.9.8 and earlier) contains an SQL Injection in the ajax_select.php endpoint when handling the componenti operation. The vulnerability arises from directly concatenating user-supplied input from options[matricola] into an IN() clause in modules/impianti/ajax/select.php, e...

CVE-2025-69212

OpenSTAManager (2.9.8 and earlier) is affected by a critical OS Command Injection in decoding P7M (signed XML) files. The root cause is that decodeP7M($file) passes user-controlled filenames directly into PHP’s exec() without proper sanitization, enabling an authenticated attacker to craft a ZIP ...

CVE-2026-35470

OpenSTAManager

CVE-2025-69216

OpenSTAManager (versions 2.9.8 and earlier) contains an authenticated SQL injection in the Scadenzario (Payment Schedule) print template. The flaw resides in templates/scadenzario/init.php where the id_anagrafica parameter is directly concatenated into an SQL query, bypassing sanitization. This e...

CVE-2026-24415

CVE-2026-24415 affects OpenSTAManager v2.9.8 and earlier, exposing multiple modules (contratti, preventivi, fatture, ddt, ordini, interventi) to Reflected XSS via the GET parameter righe in the modifica_iva.php modals. The vulnerability echoes $_GET['righe'] directly into HTML value attributes wi...

CVE-2026-24416

CVE-2026-24416 affects OpenSTAManager (v2.9.8 and earlier). A critical Time-Based Blind SQL Injection exists in the article pricing completion path, triggered via the GET parameter idarticolo in the /modules/articoli/ajax/complete.php endpoint. The root cause is an inconsistent query construction...

CVE-2026-24418

OpenSTAManager (v2.9.8 and earlier) contains a critical Error-Based SQL Injection in the Scadenzario bulk operations module. The vulnerability arises because the id_records[] array from POST to /actions.php?id_module=18 is not validated as integers before being concatenated into an SQL IN() claus...

CVE-2026-35168

OpenSTAManager before version 2.10.2 exposes a vulnerability in the Aggiornamenti module (op=risolvi-conflitti-database). It accepts a JSON array of SQL statements via POST and executes them directly on the MySQL database without validation, allowlists, or sanitization, enabling an authenticated ...

CVE-2026-24417

OpenSTAManager (v2.9.8 and earlier) contains a Time-Based Blind SQL Injection in the global search that concatenates the user-supplied term into SQL LIKE clauses across 10+ modules via /ajax_search.php. The vulnerability arises from direct string interpolation of $term in multiple module search.p...

CVE-2025-69213

CVE-2025-69213 affects OpenSTAManager prior to 2.10-beta, with a SQL Injection in the ajax_complete.php endpoint (get_sedi) that concatenates user input from the idanagrafica parameter into the SQL query. The vulnerability enables an authenticated attacker to inject SQL via idanagrafica, potentia...

CVE-2025-69215

OpenSTAManager’s Stampe Module (version 2.9.8 and earlier) contains an SQL Injection in the Stampe actions.php handler (case 'update'): the POST parameter module is concatenated into an UPDATE query without proper sanitization, enabling error-based SQL injection via endpoints like POST /modules/s...

CVE-2026-24419

OpenSTAManager (v2.9.8 and earlier) contains a critical Error-Based SQL Injection in the Prima Nota (Journal Entry) module, via unsafely handling id_documenti from GET: values are split by comma and injected into an IN() clause without type validation. Technical details across multiple sources co...