CVE-2026-28805— OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter

OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

OpenSTAManager SQL注入漏洞

OpenSTAManager是Devcode开源的一个用于技术援助和计费的开源管理软件。 OpenSTAManager 2.10.2之前版本存在SQL注入漏洞，该漏洞源于多个AJAX选择处理程序对options stato参数未进行清理或验证，可能导致基于时间的盲SQL注入攻击。

N/A

N/A