Advisories for Composer/Devcode-It/Openstamanager package

2026

OpenSTAManager has an SQL Injection in the Stampe Module

print("="*70) print(" EXTRACTION SUMMARY") print("="*70) print() if results: for key, value in results.items(): print(f" {key:.<40} {value}")

OpenSTAManager has a SQL Injection in ajax_complete.php (get_sedi endpoint)

A SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access.

2025

OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter

An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.