CVE-2025-69216

Unknown Unknown - Not Provided

BaseFortify

Publication date: 2026-02-06

Last updated on: 2026-02-09

Assigner: GitHub, Inc.

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability exists in templates/scadenzario/init.php, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization. The vulnerability enables complete database read access through error-based SQL injection techniques.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-06

Last Modified

2026-02-09

Generated

2026-06-16

AI Q&A

2026-02-06

EPSS Evaluated

2026-06-14

NVD

CVE-2025-69216

EUVD

EUVD-2025-206886

Affected Vendors & Products

Vendor	Product	Version / Range
devcode	openstamanager	to 2.9.8 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-69216 is an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template affecting versions up to 2.9.8."}, {'type': 'paragraph', 'content': 'The vulnerability exists because the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization or use of prepared statements, allowing attackers to manipulate SQL commands.'}, {'type': 'paragraph', 'content': 'Any authenticated user, regardless of privilege level, can exploit this flaw to perform error-based SQL injection attacks that extract sensitive data from the database.'}] [1]

Impact Analysis

This vulnerability allows an authenticated user with low privileges to gain complete read access to the database.

Extraction of sensitive data such as admin credentials, including usernames, emails, and partial bcrypt password hashes.
Access to customer information and financial records stored in the database.

The impact includes a high risk to confidentiality and integrity of the system and its data, potentially leading to unauthorized data disclosure and further exploitation.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the vulnerable endpoint for SQL injection using the id_anagrafica parameter in the URL /pdfgen.php?ptype=scadenzario&id_anagrafica=[INJECTION_PAYLOAD].'}, {'type': 'paragraph', 'content': 'Proof of Concept (PoC) exploitation steps include triggering SQL syntax errors by injecting malformed input and extracting database information using error-based SQL injection techniques.'}, {'type': 'paragraph', 'content': 'Automated tools like SQLMap can be used to confirm the presence of the vulnerability with confirmed injection types including Boolean-based blind, error-based, and time-based blind SQL injection.'}, {'type': 'list_item', 'content': 'Use SQLMap with a command similar to: sqlmap -u "http://target/pdfgen.php?ptype=scadenzario&id_anagrafica=1" --cookie="[valid_auth_cookie]" --dbs'}, {'type': 'list_item', 'content': 'Manually test by injecting malformed input in the id_anagrafica parameter to trigger SQL errors, e.g., id_anagrafica=1\' or id_anagrafica=1"'}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint to only trusted authenticated users and monitoring for suspicious activity on the /pdfgen.php?ptype=scadenzario endpoint.

Since no patch is currently available, avoid using the affected versions (2.9.8 and earlier) or disable the Scadenzario print template functionality if possible.

Implement input validation and sanitization on the id_anagrafica parameter and other user inputs to prevent SQL injection.

Use prepared statements with parameterized queries instead of directly concatenating user input into SQL queries.

Ensure that only authenticated users with the minimum necessary privileges can access the application.

Hi! I’m here to help you understand CVE-2025-69216. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-69216

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart