OpenSTAManager has an SQL Injection vulnerability in the Scadenzario bulk operations module

OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.

N/A

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

OpenSTAManager SQL注入漏洞

OpenSTAManager是Devcode开源的一个用于技术援助和计费的开源管理软件。 OpenSTAManager v2.9.8及之前版本存在SQL注入漏洞，该漏洞源于对Scadenzario模块批量操作处理程序中的id_records数组验证不足，可能导致基于错误的SQL注入攻击。

N/A

N/A