CVE-2026-24419

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions 2.9.8 and earlier

Description OpenSTAManager contains a critical Error-Based SQL Injection issue within the Prima Nota (Journal Entry) module's add.php file. The application does not validate that comma-separated values received through the id documenti GET parameter are integers before utilizing them in SQL IN() clauses. This allows attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. The vulnerable parameter is id documenti and the affected API endpoint is /modules/primanota/add.php. The vulnerability resides in lines 63-67 and 306 of the add.php file. The application retrieves user-controlled URL parameters using the get() function, splits them by comma, and then concatenates the array elements directly into a SQL query without any type validation. This enables attackers to inject SQL code by providing a malicious payload to the id documenti parameter.

Recommendations Versions prior to 2.9.8 should implement type validation for the id documenti parameter. Specifically, use array map('intval', $id documenti) to ensure all array elements are integers and array filter($id documenti, fn($id) => $id > 0) to remove zero or negative IDs.