CVE-2026-24418

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions 2.9.8 and earlier

Description OpenSTAManager contains a critical Error-Based SQL Injection issue within the Scadenzario (Payment Schedule) module’s bulk operations handler. The application does not properly validate that elements within the id records array are integers before utilizing them in an SQL IN() clause. This allows attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. The vulnerable parameter is id records[] and is accessible through the /actions.php?id module=18 API endpoint. The vulnerability stems from the application's failure to validate input types, specifically allowing non-integer values within the id records array to be directly concatenated into an SQL query without proper sanitization. This enables attackers to manipulate the SQL query and extract data, including user credentials, customer Personally Identifiable Information (PII), and financial records.

Recommendations Versions prior to 2.9.8 should implement type validation on the id records array. Specifically, use array map('intval', $id records) to convert all array elements to integers and array filter to remove any non-positive IDs before using them in the SQL query.