CVE-2025-69213
Published: 04 February 2026
Summary
CVE-2025-69213 is a high-severity SQL Injection (CWE-89) vulnerability in Devcode Openstamanager. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by validating and sanitizing the idanagrafica parameter before its use in SQL queries within the ajax_complete.php endpoint.
Requires timely remediation of the specific SQL injection flaw in OpenSTAManager versions 2.9.8 and prior, including patching when available.
Enforces restrictions on the idanagrafica input parameter, such as type and length limits, to block malicious SQL code injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely accessible web application endpoint (ajax_complete.php) directly maps to exploitation of public-facing apps for unauthorized DB access.
NVD Description
OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through…
more
the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists.
Deeper analysisAI
CVE-2025-69213 is a SQL injection vulnerability (CWE-89) in OpenSTAManager, an open source management software for technical assistance and invoicing. The flaw affects versions 2.9.8 and prior, specifically in the ajax_complete.php endpoint during the get_sedi operation. Attackers can inject malicious SQL code through the idanagrafica parameter, enabling unauthorized database access.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Exploitation maintains an unchanged scope (S:U) and can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS 3.1 base score of 8.8.
The primary reference is the GitHub security advisory at https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg. At the time of publication on 2026-02-04T18:16:07.537, no known patch exists for this vulnerability.
Details
- CWE(s)