CVE-2026-24417

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions 2.9.8 and earlier

Description OpenSTAManager contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application does not properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. The vulnerability affects multiple search modules and has amplified execution, meaning a single malicious request can trigger SQL injection across all vulnerable modules simultaneously, increasing the delay and potentially causing server issues. The vulnerable parameter is term and is used in the /ajax search.php endpoint. Affected modules include Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, and Interventi. The vulnerability allows for complete database exfiltration, including customer Personally Identifiable Information (PII), financial records, and business secrets, as well as the extraction of password hashes.

Recommendations Replace all instances of direct $term concatenation with prepare() in the following files: