📄 Description (English)
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
🤖 AI Executive Summary
CVE-2026-29782 is a critical PHP object injection vulnerability in OpenSTAManager's unauthenticated OAuth2 endpoint that allows remote code execution through unsafe deserialization. The vulnerability affects all versions prior to 2.10.2 and is actively exploitable without authentication. Organizations using OpenSTAManager for technical assistance and invoicing management face immediate risk of system compromise.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 8, 2026 23:45
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations in technical services, managed IT service providers (MSPs), and small-to-medium enterprises (SMEs) using OpenSTAManager for invoicing and technical support management are at high risk. Government agencies and healthcare facilities using this software for asset management and service tracking face potential data breach and operational disruption. The vulnerability's unauthenticated nature makes it particularly dangerous for organizations with internet-facing instances. Banking sector vendors and payment processors using OpenSTAManager could face SAMA compliance violations if customer data is compromised.
🏢 Affected Saudi Sectors
Information Technology Services
Managed Service Providers (MSPs)
Small and Medium Enterprises (SMEs)
Government Agencies
Healthcare
Banking and Financial Services
Telecommunications
Energy Sector
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all OpenSTAManager instances in your environment and document their versions
2. Immediately isolate or restrict network access to oauth2.php endpoint if patching cannot be done immediately
3. Review access logs for suspicious requests to /oauth2.php with unusual 'state' parameters
4. Check for signs of exploitation: unexpected PHP processes, new user accounts, modified files in web root
PATCHING:
1. Upgrade OpenSTAManager to version 2.10.2 or later immediately
2. Test patches in non-production environment first
3. Verify oauth2.php functionality post-patch
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement Web Application Firewall (WAF) rules to block requests to oauth2.php containing serialized PHP objects (detect 'O:' patterns in GET parameters)
2. Restrict network access to oauth2.php to known OAuth2 providers only
3. Implement rate limiting on oauth2.php endpoint
4. Disable PHP error reporting to prevent information disclosure
DETECTION:
1. Monitor for HTTP requests to oauth2.php with GET parameter 'state' containing base64-encoded serialized objects
2. Alert on any POST requests to oauth2.php
3. Monitor for PHP execution from web-accessible directories
4. Track failed and successful OAuth2 authentication attempts
5. Search logs for patterns: 'O:' in URL parameters, 'unserialize' in error logs
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات OpenSTAManager في بيئتك وقثق إصداراتها
2. قم بعزل أو تقييد الوصول إلى نقطة نهاية oauth2.php فوراً إذا لم يكن بالإمكان تطبيق التصحيح
3. راجع سجلات الوصول للطلبات المريبة إلى /oauth2.php مع معاملات 'state' غير عادية
4. تحقق من علامات الاستغلال: عمليات PHP غير متوقعة، حسابات مستخدمين جديدة، ملفات معدلة في جذر الويب
التصحيح:
1. قم بترقية OpenSTAManager إلى الإصدار 2.10.2 أو أحدث فوراً
2. اختبر التصحيحات في بيئة غير الإنتاج أولاً
3. تحقق من وظيفة oauth2.php بعد التصحيح
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. طبق قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات إلى oauth2.php التي تحتوي على كائنات PHP مسلسلة
2. قيد الوصول إلى oauth2.php إلى موفري OAuth2 المعروفين فقط
3. طبق تحديد معدل على نقطة نهاية oauth2.php
4. عطل تقارير أخطاء PHP لمنع الكشف عن المعلومات
الكشف:
1. راقب طلبات HTTP إلى oauth2.php مع معامل GET 'state' يحتوي على كائنات PHP مسلسلة مشفرة بـ base64
2. أصدر تنبيهات لأي طلبات POST إلى oauth2.php
3. راقب تنفيذ PHP من الدلائل التي يمكن الوصول إليها عبر الويب
4. تتبع محاولات المصادقة الفاشلة والناجحة في OAuth2
5. ابحث في السجلات عن الأنماط: 'O:' في معاملات URL، 'unserialize' في سجلات الأخطاء
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information Security Policies and Procedures
ECC 2024 A.6.1.1 - Access Control and Authentication
ECC 2024 A.8.2.1 - Secure Development and Maintenance
ECC 2024 A.8.2.3 - Security Testing and Vulnerability Management
ECC 2024 A.12.2.1 - Change Management
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Governance and Risk Management
SAMA CSF PR.AC-1 - Access Control and Authentication
SAMA CSF PR.DS-6 - Data Security and Integrity
SAMA CSF DE.CM-1 - Detection and Analysis
SAMA CSF RS.RP-1 - Response Planning
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for Information Security
ISO 27001:2022 A.6.1 - Screening and Onboarding
ISO 27001:2022 A.8.1 - Information Security in Supplier Relationships
ISO 27001:2022 A.8.2 - Information Security in ICT Development and Maintenance
ISO 27001:2022 A.8.3 - Cryptography
ISO 27001:2022 A.12.6 - Change Management
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security Patches and Updates
PCI DSS 6.5.1 - Injection Flaws
PCI DSS 11.3 - Penetration Testing
🔗 References & Sources 3
🔗
https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae...
security-advisories@github.com
Patch
🔗
https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
security-advisories@github.com
Product
Release Notes
🔗
https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
📦 Affected Products / CPE 1 entries
devcode:openstamanager