Platform
php
Component
devcode-it/openstamanager
Fixed in
2.10.3
2.10.2
CVE-2026-35168 describes a SQL Injection vulnerability within the Aggiornamenti (Updates) module of OpenSTAManager. This flaw allows an authenticated attacker to execute arbitrary SQL commands due to insufficient validation of SQL statements. Successful exploitation can lead to complete database compromise. This affects OpenSTAManager versions prior to 2.10.2, and is resolved in version 2.10.2.
CVE-2026-35168 in OpenSTAManager (versions <= 2.10.1) allows an authenticated attacker to execute arbitrary SQL code on the database. The 'Aggiornamenti' (Updates) module includes a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via a POST request. This feature executes these statements directly against the database without any validation, allowlist, or sanitization. This means an attacker can potentially modify, delete, or extract sensitive data from the database, compromising the system's integrity and confidentiality. The CVSS severity is 8.8 (High), indicating a significant risk.
An attacker with valid credentials to access the 'Aggiornamenti' module can exploit this vulnerability. The attacker would send a POST request with a JSON array containing malicious SQL statements. The lack of validation allows the attacker to inject arbitrary SQL code that will be executed in the database's context. The exploitation complexity is low, as it requires no special skills beyond SQL knowledge and the ability to send HTTP requests. The need for authentication limits exploitation to users with system access, but the severity of the vulnerability warrants immediate attention.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
The solution is to upgrade OpenSTAManager to version 2.10.2 or higher. This version fixes the vulnerability by implementing proper validation of the SQL statements received through the op=risolvi-conflitti-database parameter. In the meantime, as a temporary measure, restrict access to the 'Aggiornamenti' module to authorized users only and monitor the system for exploitation attempts. Additionally, review and strengthen authentication and authorization policies to limit the potential impact of a successful attack. The upgrade is the best defense against this vulnerability.
Actualice OpenSTAManager a la versión 2.10.2 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección SQL en el módulo Aggiornamenti. La actualización evitará que atacantes ejecuten comandos SQL arbitrarios en su base de datos.
Vulnerability analysis and critical alerts directly to your inbox.
OpenSTAManager is an open-source software license management tool.
The update fixes a critical vulnerability that allows the execution of arbitrary SQL code, which could compromise the security of your system.
Restrict access to the 'Aggiornamenti' module and monitor the system for activity.
Review and strengthen your authentication and authorization policies.
If you are using a version prior to 2.10.2, you are vulnerable. Consult the OpenSTAManager documentation for more details.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.