Critical SQL Injection Vulnerability in OpenSTAManager Exposed

What Happened

A critical SQL Injection vulnerability identified as CVE-2026-35470 has been discovered in OpenSTAManager, a widely used open-source software designed for managing technical assistance and invoicing. This vulnerability was disclosed recently and affects all versions of the software prior to 2.10.2. It exposes sensitive data due to improper handling of SQL queries within the application's confronta_righe.php files. This flaw was identified and reported in October 2023, raising significant security concerns for businesses relying on this software.

OpenSTAManager's users include small to medium enterprises (SMEs) engaging in technical service management and invoicing operations. The vulnerability involves the unsanitized usage of input from the righe parameter, which is a part of HTTP GET requests. This parameter is directly concatenated into SQL queries without validation or parameterization, facilitating the injection of arbitrary SQL statements by attackers with authentication credentials.

Technical Details

The vulnerability, CVE-2026-35470, affects the confronta_righe.php files across multiple modules in OpenSTAManager. Specifically, the issue arises from the failure to sanitize inputs received via the $_GET['righe'] parameter. When this parameter is inserted directly into SQL queries, it creates a vector for SQL Injection.

This flaw has been classified with a CVSS score of 8.8, indicating a high severity. Exploiting this vulnerability requires authenticated access to the application, meaning attackers need valid user credentials to begin the assault. However, once authenticated, they can leverage this SQL Injection to execute arbitrary SQL commands, potentially resulting in unauthorized access to critical data such as user credentials, customer information, and invoice records.

Indicators of Compromise (IOCs) may include unusual SQL queries and attempts to access the database outside normal usage patterns. Logs containing frequent HTTP 500 error responses might also suggest exploitation attempts as attackers probe the input validation limits of the application.

Impact

Organizations that employ OpenSTAManager versions prior to 2.10.2 are vulnerable to data breaches through this SQL Injection flaw. The vulnerability has a widespread impact, especially on SMEs that rely heavily on OpenSTAManager for managing client data and business operations. Successful exploitation can lead to data leakage that compromises user privacy, causes financial loss, and damages business reputations. Remediation is urgent given the high severity and potential for data exfiltration.

What To Do

• Upgrade: Immediately update to OpenSTAManager version 2.10.2 or later. This version addresses the SQL Injection vulnerability by incorporating input validation and parameterized SQL queries.
• Input Validation: Implement additional input validation measures where possible, filtering and escaping input at all interface points.
• Monitoring: Increase monitoring of SQL query logs and network traffic for unusual activities or patterns indicative of exploitation attempts.
• Access Control: Review and restrict database permissions and ensure that only necessary read/write access is granted to authenticated users.
• User Education: Train staff about signs of phishing or social engineering attempts that might provide attackers with authenticated access.

In closing, it is crucial for organizations using OpenSTAManager to apply the recommended updates promptly. By proactively addressing this vulnerability, businesses can protect themselves against potential data breaches and ensure the security of their financial and customer data.