OpenSTAManager has an authenticated SQL Injection vulnerability in API via...

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.9.5, an authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise. This issue has been patched in version 2.9.5.

AI Analysis

Authenticated SQL Injection vulnerability in OpenSTAManager API via 'display' parameter, allowing arbitrary SQL queries and potential full system compromise.

Basic Information

ID CVE-2025-65103

Source GitHub_M

Published Nov 19, 2025 at 19:09

Modified Nov 19, 2025 at 20:31

Affected Product

Vendor devcode-it

Product openstamanager

Version < 2.9.5

Affected Versions devcode-it openstamanager < 2.9.5

CWE Classification

CWE-89

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor devcode-it

Product OpenSTAManager

Version < 2.9.5

References

github.com /devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j

{
    "lastseen": "",
    "description": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.9.5, an authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise. This issue has been patched in version 2.9.5.",
    "published": "2025-11-19T19:09:09.209Z",
    "modified": "2025-11-19T20:31:35.423Z",
    "type": "cve",
    "title": "OpenSTAManager has an authenticated SQL Injection vulnerability in API via 'display' parameter",
    "source": "GitHub_M",
    "references": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j",
    "id": "CVE-2025-65103",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "devcode-it openstamanager < 2.9.5",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "openstamanager",
    "version": "< 2.9.5",
    "vendor": "devcode-it",
    "ai_description": "Authenticated SQL Injection vulnerability in OpenSTAManager API via 'display' parameter, allowing arbitrary SQL queries and potential full system compromise.",
    "ai_severity": "High",
    "ai_vendor": "devcode-it",
    "ai_product": "OpenSTAManager",
    "ai_version": "< 2.9.5",
    "ai_score": 8.8
}

OpenSTAManager has an authenticated SQL Injection vulnerability in API via ‘display’ parameter_CVE-2025-65103