Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/devcode-it/openstamanager@2.9.8
purl pkg:composer/devcode-it/openstamanager@2.9.8
Next non-vulnerable version 2.10.2
Latest non-vulnerable version 2.10.2
Risk 4.5
Vulnerabilities affecting this package (9)
Vulnerability Summary Fixed by
VCID-2br1-99zg-z7bh
Aliases:
CVE-2025-69213
GHSA-w995-ff8h-rppg
OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint) A SQL Injection vulnerability exists in the `ajax_complete.php` endpoint when handling the `get_sedi` operation. An authenticated attacker can inject malicious SQL code through the `idanagrafica` parameter, leading to unauthorized database access. There are no reported fixed by versions.
VCID-7e19-24d8-f7gd
Aliases:
CVE-2026-24416
GHSA-p864-fqgv-92q4
OpenSTAManager has a Time-Based Blind SQL Injection in Article Pricing Module Critical Time-Based Blind SQL Injection vulnerability in the article pricing module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer data, and financial records through time-based Boolean inference attacks. **Status:** ✅ Confirmed and tested on live instance (v2.9.8) end [demo.osmbusiness.it](https://demo.osmbusiness.it/) (v2.9.7) **Vulnerable Parameter:** `idarticolo` (GET) **Affected Endpoint:** `/ajax_complete.php?op=getprezzi` **Affected Module:** Articoli (Articles/Products) There are no reported fixed by versions.
VCID-81kx-rj8c-dkbr
Aliases:
CVE-2026-24419
GHSA-4j2x-jh4m-fqv6
OpenSTAManager has a SQL Injection in the Prima Nota module Critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages by injecting malicious SQL into URL parameters. **Status:** ✅ Confirmed and tested on live instance (v2.9.8) **Vulnerable Parameters:** `id_documenti` (GET parameters) **Affected Endpoint:** `/modules/primanota/add.php` **Attack Type:** Error-Based SQL Injection (IN clause) There are no reported fixed by versions.
VCID-8x62-3aff-hbak
Aliases:
CVE-2025-69212
GHSA-25fp-8w8p-mx36
OpenSTAManager has an OS Command Injection in P7M File Processing A critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server. There are no reported fixed by versions.
VCID-by14-5puv-qygm
Aliases:
CVE-2025-69216
GHSA-q6g3-fv43-m2w6
OpenSTAManager has a SQL Injection in Scadenzario Print Template An **authenticated SQL Injection vulnerability** in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability enables complete database read access through error-based SQL injection techniques. There are no reported fixed by versions.
VCID-gnx6-chzh-3fc3
Aliases:
CVE-2026-24418
GHSA-4xwv-49c8-fvhq
OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module Critical Error-Based SQL Injection vulnerability in the Scadenzario (Payment Schedule) bulk operations module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages. **Status:** ✅ Confirmed and tested on live instance (v2.9.8) **Vulnerable Parameter:** `id_records[]` (POST array) **Affected Endpoint:** `/actions.php?id_module=18` (Scadenzario module) **Attack Type:** Error-Based SQL Injection (IN clause) There are no reported fixed by versions.
VCID-nv3t-9e16-8kbn
Aliases:
CVE-2026-27012
GHSA-247v-7cw6-q57v
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (`idgruppo`) by directly calling `modules/utenti/actions.php`. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators. There are no reported fixed by versions.
VCID-pxzr-bvsj-y3gs
Aliases:
CVE-2025-69214
GHSA-qjv8-63xq-gq8m
OpenSTAManager has a SQL Injection in ajax_select.php (componenti endpoint) A SQL Injection vulnerability exists in the `ajax_select.php` endpoint when handling the `componenti` operation. An authenticated attacker can inject malicious SQL code through the `options[matricola]` parameter. There are no reported fixed by versions.
VCID-w4gk-vbbq-13ea
Aliases:
CVE-2025-69215
GHSA-qx9p-w3vj-q24q
OpenSTAManager has an SQL Injection in the Stampe Module print("="*70) print(" EXTRACTION SUMMARY") print("="*70) print() if results: for key, value in results.items(): print(f" {key:.<40} {value}") There are no reported fixed by versions.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-7h5v-9rhe-2bbp OpenSTAManager Affected by XSS in modifica_iva.php via righe parameter Multiple Reflected Cross-Site Scripting (XSS) vulnerabilities in OpenSTAManager v2.9.8 allow unauthenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers through crafted URL parameters, potentially leading to session hijacking, credential theft, and unauthorized actions. **Vulnerable Parameter:** `righe` (GET) CVE-2026-24415
GHSA-jfgp-g7x7-j25j

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T16:58:52.431515+00:00 GithubOSV Importer Fixing VCID-7h5v-9rhe-2bbp https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-jfgp-g7x7-j25j/GHSA-jfgp-g7x7-j25j.json 38.6.0
2026-06-02T04:51:17.858896+00:00 GitLab Importer Affected by VCID-nv3t-9e16-8kbn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/devcode-it/openstamanager/CVE-2026-27012.yml 38.6.0
2026-06-02T04:51:06.507270+00:00 GitLab Importer Fixing VCID-7h5v-9rhe-2bbp https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/devcode-it/openstamanager/CVE-2026-24415.yml 38.6.0
2026-06-02T04:50:01.095785+00:00 GitLab Importer Affected by VCID-8x62-3aff-hbak https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/devcode-it/openstamanager/CVE-2025-69212.yml 38.6.0
2026-06-02T04:50:00.850316+00:00 GitLab Importer Affected by VCID-gnx6-chzh-3fc3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/devcode-it/openstamanager/CVE-2026-24418.yml 38.6.0
2026-06-02T04:50:00.736303+00:00 GitLab Importer Affected by VCID-by14-5puv-qygm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/devcode-it/openstamanager/CVE-2025-69216.yml 38.6.0
2026-06-02T04:50:00.456715+00:00 GitLab Importer Affected by VCID-81kx-rj8c-dkbr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/devcode-it/openstamanager/CVE-2026-24419.yml 38.6.0
2026-06-02T04:50:00.018580+00:00 GitLab Importer Affected by VCID-pxzr-bvsj-y3gs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/devcode-it/openstamanager/CVE-2025-69214.yml 38.6.0
2026-06-02T04:49:59.923169+00:00 GitLab Importer Affected by VCID-7e19-24d8-f7gd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/devcode-it/openstamanager/CVE-2026-24416.yml 38.6.0
2026-06-02T04:49:56.199613+00:00 GitLab Importer Affected by VCID-2br1-99zg-z7bh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/devcode-it/openstamanager/CVE-2025-69213.yml 38.6.0
2026-06-02T04:49:54.659437+00:00 GitLab Importer Affected by VCID-w4gk-vbbq-13ea https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/devcode-it/openstamanager/CVE-2025-69215.yml 38.6.0