CVE-2026-24416

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions 2.9.8 and earlier

Description OpenSTAManager contains a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application does not properly sanitize the idarticolo parameter before using it in SQL queries, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. The vulnerability exists in the /ajax complete.php file, specifically in the /modules/articoli/ajax/complete.php module. The vulnerable parameter is idarticolo within the GET request to the /ajax complete.php?op=getprezzi endpoint. The vulnerability allows authenticated attackers to extract complete database contents, including user credentials, customer data, and financial records. A proof-of-concept (PoC) demonstrates the extraction of the database name, admin username, and password hash. The root cause is the inconsistent use of the prepare() function, which is used to sanitize the idanagrafica parameter but not the idarticolo parameter.

Recommendations Apply the fix to the /modules/articoli/ajax/complete.php file. Replace the vulnerable code with the corrected version, ensuring the idarticolo parameter is properly sanitized using the prepare() function before being used in SQL queries.