CVE-2026-28805
Time-Based Blind SQL Injection in OpenSTAManager AJAX Handlers
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devcode | openstamanager | to 2.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28805 is a Time-Based Blind SQL Injection vulnerability in OpenSTAManager versions prior to 2.10.2. It occurs because the user-supplied value from the options[stato] GET parameter is directly concatenated into SQL WHERE clauses without any sanitization, parameterization, or allowlist validation. This allows an authenticated attacker to inject arbitrary SQL code.
The vulnerability affects multiple AJAX select handlers in different modules (Preventivi, Ordini, Contratti) where the stato parameter is used as a column name or expression in SQL queries. The input is sanitized only by HTMLPurifier, which removes HTML tags but does not prevent SQL injection.
Exploitation involves sending specially crafted requests with malicious SQL payloads in the options[stato] parameter, enabling attackers to perform time-based blind SQL injection attacks to extract sensitive data from the database.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the affected AJAX endpoints in OpenSTAManager for time-based blind SQL injection via the options[stato] GET parameter.
A practical detection method involves sending authenticated GET requests to the vulnerable endpoints with specially crafted payloads that cause a delay in the response if the injection is successful.
For example, an attacker or tester can inject a payload using the SLEEP() function in MySQL to observe a delayed response, confirming the vulnerability.
- Send an authenticated GET request to `/ajax_select.php?op=preventivi&options[stato]=SLEEP(10)` and observe if the response is delayed by approximately 10 seconds.
- Similarly, test `/ajax_select.php?op=ordini-cliente&options[stato]=SLEEP(10)` and `/ajax_select.php?op=contratti&options[stato]=SLEEP(10)`.
Because the application uses HTMLPurifier which does not remove SQL keywords or operators, the injection can be confirmed by using MySQL functions like GREATEST() to bypass character filtering.
Note that these tests require valid authentication credentials since the vulnerability requires an authenticated user.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenSTAManager to version 2.10.2 or later, where this vulnerability has been fixed.
The patch includes multiple security improvements such as strict allowlist validation of the options[stato] parameter against predefined allowed column names, sanitization of input by removing backticks, and proper quoting of SQL identifiers.
If upgrading immediately is not possible, apply the following mitigations:
- Implement allowlist validation for the options[stato] parameter to restrict it to known safe column names for each module.
- Sanitize the input by removing backtick characters and wrap the parameter in backticks to prevent injection.
- Use strict regex validation to allow only alphabetic characters and underscores in the parameter.
Additionally, audit all uses of $superselect values in the codebase to ensure no other unsanitized inputs are concatenated directly into SQL queries.
Restrict access to the affected AJAX endpoints to trusted authenticated users only, and monitor logs for suspicious activity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to perform time-based blind SQL injection attacks that can extract sensitive data from the OpenSTAManager database, including usernames, password hashes, financial records, and personally identifiable information (PII).
Such unauthorized access and potential data extraction can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.
Because the vulnerability impacts confidentiality, integrity, and availability of sensitive data, organizations using affected versions of OpenSTAManager may face compliance risks, including legal penalties and reputational damage, if the vulnerability is exploited and data is compromised.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Confidentiality: Attackers can extract sensitive data such as usernames, bcrypt password hashes, personally identifiable information (PII), financial records (invoices, quotes, contracts, payments), and application configuration from the database.
- Integrity: Attackers may modify data by injecting SQL INSERT or UPDATE statements via subqueries.
- Availability: Attackers can cause denial of service by executing long-running queries (e.g., using SLEEP functions) that delay or block legitimate database operations.