CVE-2026-35470
SQL Injection in OpenSTAManager confronta_righe.php Allows Data Theft
Publication date: 2026-04-06
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devcode | openstamanager | to 2.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL Injection vulnerability in OpenSTAManager allows an authenticated attacker to extract sensitive data such as user credentials, customer information, invoice data, and other stored data. This exposure of sensitive personal and financial information can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and breaches.
Additionally, the vulnerability permits modification and deletion of data, impacting data integrity and availability, which are critical aspects of compliance with these standards.
Therefore, exploitation of this vulnerability could result in violations of confidentiality, integrity, and availability requirements mandated by common standards and regulations.
Can you explain this vulnerability to me?
CVE-2026-35470 is a high-severity SQL Injection vulnerability in OpenSTAManager versions up to 2.10.1. It affects six different confronta_righe.php files across various modules. The vulnerability arises because the righe parameter, received via $_GET['righe'], is directly concatenated into an SQL query without any sanitization, parameterization, or validation.
This allows an authenticated attacker with access to the modules to inject arbitrary SQL statements. The injection occurs specifically in an SQL IN() clause, enabling the attacker to extract sensitive data such as user credentials, customer information, invoices, contracts, and other stored data.
Additionally, the attacker can modify data (INSERT/UPDATE/DELETE) and potentially delete or corrupt database tables, impacting the confidentiality, integrity, and availability of the system.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Confidentiality: An attacker can extract full database data including sensitive credentials such as bcrypt-hashed passwords.
- Integrity: The attacker can modify data by injecting SQL queries, potentially altering or corrupting important information.
- Availability: The attacker can delete or corrupt critical database tables, causing denial of service or data loss.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your OpenSTAManager installation is running a vulnerable version (prior to 2.10.2) and if the `confronta_righe.php` files in the modules `fatture`, `interventi`, `preventivi`, `ordini`, `ddt`, and `contratti` are present and accessible.
Detection can involve checking for suspicious HTTP GET requests containing the `righe` parameter with SQL injection payloads targeting these PHP files.
Example commands to detect potential exploitation attempts include using network monitoring or web server logs to search for requests with SQL injection patterns in the `righe` parameter, such as:
- Using grep on web server logs to find suspicious requests: `grep -i "righe=.*(select|extractvalue|union|sleep)" /var/log/apache2/access.log`
- Using curl to test the vulnerability manually by injecting SQL payloads into the `righe` parameter, for example: `curl "http://yourserver/modules/interventi/modals/confronta_righe.php?righe=1) AND EXTRACTVALUE(1, CONCAT(0x7e,(SELECT database()),0x7e))-- -"`
Additionally, reviewing the source code for direct concatenation of the `righe` parameter into SQL queries without sanitization can confirm the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict access to the affected `confronta_righe.php` files and modules to only trusted authenticated users to reduce the attack surface.
- Implement input validation and sanitization on the `righe` parameter to prevent SQL injection.
- Apply the recommended code fix by replacing direct concatenation of the `righe` parameter with parameterized queries using prepared statements. For example, convert the vulnerable code to use integer casting and placeholders as follows:
```php $righe_ids = array_map('intval', explode(',', $_GET['righe'] ?? '')); $placeholders = implode(',', array_fill(0, count($righe_ids), '?')); $righe = $dbo->fetchArray('SELECT ... WHERE id IN (' . $placeholders . ')', $righe_ids); ```
- Update OpenSTAManager to version 2.10.2 or later once available, as this version contains the official fix.
- Monitor logs for suspicious activity and consider temporarily disabling or restricting the vulnerable modules if immediate patching is not possible.