OpenSTAManager affected by reflected XSS in modifica_iva.php via righe parameter
Description
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSTAManager v2.9.8 and earlier contain reflected XSS in invoice/order/contract modals via the unsanitized 'righe' GET parameter.
Vulnerability
Description
OpenSTAManager versions 2.9.8 and earlier contain multiple Reflected Cross-Site Scripting (XSS) vulnerabilities in the modification modals for invoices, orders, contracts, and other documents [1][3]. The root cause is improper sanitization of user-supplied input from the righe GET parameter, which is directly echoed into the HTML value attribute of hidden input fields without using htmlspecialchars() or equivalent functions [3]. This allows an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript.
Exploitation
Attackers can exploit this vulnerability by crafting a malicious URL that includes a payload in the righe parameter, such as ?righe="> [3]. The attack requires no authentication and can be delivered via social engineering, such as tricking a user into clicking a crafted link while logged into the application [1][3]. The vulnerable code appears in at least six modal files, including /modules/contratti/modals/modifica_iva.php, /modules/fatture/modals/modifica_iva.php, and /modules/ordini/modals/modifica_iva.php [3].
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the victim's browser [3]. This can lead to session hijacking, credential theft, and unauthorized actions performed on behalf of the user, potentially compromising sensitive data and enabling further attacks within the application [3].
Mitigation
As of the advisory, the vulnerability affects OpenSTAManager v2.9.8 and earlier. Users are advised to update to a patched version when available, or to apply input sanitization to the righe parameter in all affected modal files [3].
- GitHub - devcode-it/openstamanager: OpenSTAManager è un software gestionale open-source basato su web, sviluppato in PHP con database MySQL. Serve a gestire l'assistenza tecnica e la fatturazione elettronica per piccole e medie imprese. Include moduli per la contabilità, la gestione del magazzino, le anagrafiche di clienti e fornitori, i documenti di vendita e acquisto.
- Multiple Reflected XSS in modifica_iva.php via righe parameter
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devcode-it/openstamanagerPackagist | < 2.9.8 | 2.9.8 |
Affected products
2- Range: <=2.9.8
- devcode-it/openstamanagerv5Range: <= 2.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-jfgp-g7x7-j25jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24415ghsaADVISORY
- github.com/devcode-it/openstamanager/security/advisories/GHSA-jfgp-g7x7-j25jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.