CVE-2026-29782: CWE-502: Deserialization of Untrusted Data in devcode-it openstamanager
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
AI Analysis
Technical Summary
OpenSTAManager versions before 2.10.2 contain a deserialization of untrusted data vulnerability (CWE-502) in the oauth2.php file. The endpoint is unauthenticated and uses an attacker-controlled GET parameter 'state' to retrieve a database record. The access_token field from this record is passed to PHP's unserialize() function without any restrictions on allowed classes, enabling potential malicious object injection. This flaw was addressed by the vendor in version 2.10.2.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary code, cause denial of service, or manipulate application logic due to unsafe deserialization of attacker-controlled data. The vulnerability affects confidentiality, integrity, and availability of the affected system. The CVSS 3.1 base score is 7.2, indicating a high severity impact with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
A patch fixing this vulnerability is available in OpenSTAManager version 2.10.2. Users should upgrade to version 2.10.2 or later to remediate this issue. No other mitigation guidance is provided or required as the vulnerability is addressed by the official fix.
CVE-2026-29782: CWE-502: Deserialization of Untrusted Data in devcode-it openstamanager
Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenSTAManager versions before 2.10.2 contain a deserialization of untrusted data vulnerability (CWE-502) in the oauth2.php file. The endpoint is unauthenticated and uses an attacker-controlled GET parameter 'state' to retrieve a database record. The access_token field from this record is passed to PHP's unserialize() function without any restrictions on allowed classes, enabling potential malicious object injection. This flaw was addressed by the vendor in version 2.10.2.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary code, cause denial of service, or manipulate application logic due to unsafe deserialization of attacker-controlled data. The vulnerability affects confidentiality, integrity, and availability of the affected system. The CVSS 3.1 base score is 7.2, indicating a high severity impact with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
A patch fixing this vulnerability is available in OpenSTAManager version 2.10.2. Users should upgrade to version 2.10.2 or later to remediate this issue. No other mitigation guidance is provided or required as the vulnerability is addressed by the official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-04T16:26:02.898Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ce7bd9e6bfc5ba1ddfe6c7
Added to database: 4/2/2026, 2:23:21 PM
Last enriched: 4/9/2026, 10:41:10 PM
Last updated: 5/20/2026, 8:52:47 PM
Views: 37
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.