CVE-2026-24418
📋 TL;DR
OpenSTAManager v2.9.8 and earlier contain a critical SQL injection vulnerability in the Payment Schedule module's bulk operations handler. Attackers can inject malicious SQL commands through the id_records array parameter, potentially extracting sensitive database information via XPATH error messages. All users running affected versions are vulnerable.
💻 Affected Systems
- OpenSTAManager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of sensitive customer data, financial records, authentication credentials, and potential system takeover.
Likely Case
Data exfiltration of sensitive information including customer details, payment records, and potentially administrative credentials.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.
🎯 Exploit Status
Exploitation requires access to the Scadenzario module, but SQL injection via error-based techniques is well-documented and relatively simple to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.9.9 or later
Vendor Advisory: https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq
Restart Required: No
Instructions:
1. Backup your OpenSTAManager installation and database. 2. Download the latest version from the official repository. 3. Replace the affected files with patched versions. 4. Verify the fix by testing the Scadenzario bulk operations functionality.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to ensure id_records array contains only integers before processing
Modify the bulk operations handler to validate: if (!is_numeric($id)) { return error; }
Web Application Firewall Rule
allBlock SQL injection patterns in the Scadenzario module requests
Add WAF rule to detect SQL patterns in id_records parameter
🧯 If You Can't Patch
- Disable the Scadenzario module bulk operations functionality entirely
- Implement strict network segmentation and limit database access permissions to minimum required
🔍 How to Verify
Check if Vulnerable:
Test the Scadenzario bulk operations endpoint with SQL injection payloads in the id_records parameter and check for XPATH error messages in responses.Check Version:
Check the version.php file or admin dashboard for OpenSTAManager version informationVerify Fix Applied:
Attempt the same SQL injection tests after patching; successful fix should return proper error handling without database error disclosure.📡 Detection & Monitoring
Log Indicators:
- Unusual database error messages containing XPATH syntax
- Multiple failed SQL queries from single user sessions
- Abnormal parameter patterns in Scadenzario module requests
Network Indicators:
- SQL injection patterns in POST parameters to bulk operations endpoints
- Unusual database connection patterns from application servers
SIEM Query:
source="web_logs" AND (uri_path="/scadenzario" OR uri_path="/payment_schedule") AND (param="id_records" AND value MATCHES "(?i)(union|select|xp_|0x)")