Description
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.
Published: 2026-02-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary SQL injection exposing sensitive data
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the Prima Nota (Journal Entry) module of OpenSTAManager, where the add.php script does not validate that the comma‑separated values in the id_documenti GET parameter are integers before incorporating them into SQL IN() clauses. This flaw permits attackers to inject arbitrary SQL code, resulting in error-based data extraction via XPATH error messages. The weakness is classified as CWE‑89 and can lead to unauthorized data disclosure and potential manipulation of the database.

Affected Systems

The flaw affects the devcode‑it OpenSTAManager product, specifically versions 2.9.8 and earlier. Any deployment of OpenSTAManager that includes the vulnerable add.php module and processes the id_documenti parameter through a publicly accessible web interface is at risk.

Risk and Exploitability

With a CVSS score of 8.7 and an EPSS score of less than 1%, the vulnerability presents a high severity but a low likelihood of exploitation under current conditions. It is not listed in the CISA KEV catalog. The attack vector is primarily remote, via crafted HTTP GET requests to the add.php endpoint. If exploited, an attacker can read confidential data and potentially influence database contents, depending on the underlying database permissions.

Generated by OpenCVE AI on April 17, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSTAManager to a version released after 2.9.8 that contains the patch for the SQL injection vulnerability.
  • Add server‑side validation to the id_documenti GET parameter to ensure all supplied values are numeric before they are used in SQL statements.
  • Deploy a web application firewall or input sanitization rules to block malformed SQL injection attempts targeting the add.php route.

Generated by OpenCVE AI on April 17, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4j2x-jh4m-fqv6 OpenSTAManager has a SQL Injection in the Prima Nota module
History

Mon, 09 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Devcode
Devcode openstamanager
Vendors & Products Devcode
Devcode openstamanager

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.
Title OpenSTAManager has an SQL Injection in the Prima Nota module
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Devcode Openstamanager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T18:30:09.396Z

Reserved: 2026-01-22T18:19:49.175Z

Link: CVE-2026-24419

cve-icon Vulnrichment

Updated: 2026-02-06T18:29:33.869Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T18:15:58.333

Modified: 2026-02-09T21:55:03.027

Link: CVE-2026-24419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses