{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-28805/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openstamanager","sqli","cve-2026-28805"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenSTAManager, a management software for technical assistance and invoicing, contains a critical vulnerability that could lead to significant data breaches. Specifically, versions prior to 2.10.2 are vulnerable to Time-Based Blind SQL Injection (CVE-2026-28805) in its AJAX select handlers. The vulnerability exists due to the lack of sanitization, parameterization, or allowlist validation of the \u0026lsquo;options[stato]\u0026rsquo; GET parameter. This allows an authenticated attacker to inject arbitrary SQL queries, potentially compromising the entire database. Successful exploitation allows an attacker to extract sensitive data like usernames, password hashes, and financial records. Organizations using affected versions of OpenSTAManager should upgrade to version 2.10.2 immediately to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker identifies the vulnerable AJAX select handler within the OpenSTAManager application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the vulnerable endpoint, injecting SQL code into the \u003ccode\u003eoptions[stato]\u003c/code\u003e parameter (e.g., \u003ccode\u003eoptions[stato]=%' AND SLEEP(5) AND '%'='\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side application concatenates the attacker-supplied SQL code directly into a SQL WHERE clause without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL \u003ccode\u003eSLEEP()\u003c/code\u003e function causes a time delay on the server, confirming the successful injection to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker refines the SQL injection payload to extract specific data, such as the database version or user credentials, using conditional \u003ccode\u003eSLEEP()\u003c/code\u003e statements and character-by-character extraction techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker iterates through the database structure and tables, extracting sensitive data like usernames and password hashes.\u003c/li\u003e\n\u003cli\u003eUsing the extracted credentials, the attacker gains unauthorized access to administrative functions within OpenSTAManager.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates financial records and other sensitive data from the compromised database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of the OpenSTAManager database. This includes the potential exposure of sensitive customer data, financial records, and internal user credentials. The impact could range from financial loss and reputational damage to legal repercussions for failing to protect sensitive information. Given the CVSS v3.1 base score of 8.8, this is a critical vulnerability requiring immediate attention.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenSTAManager to version 2.10.2 or later to patch CVE-2026-28805.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect OpenSTAManager SQL Injection Attempt\u0026rdquo; to monitor for malicious requests containing SQL injection payloads targeting the \u003ccode\u003eoptions[stato]\u003c/code\u003e parameter (see rules).\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests containing SQL injection patterns, specifically targeting the \u003ccode\u003eoptions[stato]\u003c/code\u003e GET parameter.\u003c/li\u003e\n\u003cli\u003eReview web server logs for unusual activity and suspicious requests containing SQL syntax within the \u003ccode\u003eoptions[stato]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T14:16:26Z","date_published":"2026-04-02T14:16:26Z","id":"/briefs/2024-01-openstamanager-sqli/","summary":"OpenSTAManager versions before 2.10.2 are susceptible to time-based blind SQL injection via the 'options[stato]' GET parameter, allowing authenticated attackers to extract sensitive database information.","title":"OpenSTAManager Time-Based Blind SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openstamanager-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-28805","version":"https://jsonfeed.org/version/1.1"}