OpenSTAManager has an SQL Injection in the Prima Nota module
Description
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenSTAManager v2.9.8 and earlier contain an error-based SQL injection in the Prima Nota module's add.php, allowing authenticated attackers to extract database contents via the id_documenti parameter.
Vulnerability
Overview
OpenSTAManager v2.9.8 and earlier contain a critical error-based SQL injection vulnerability in the Prima Nota (Journal Entry) module's add.php file [2]. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands [3].
Exploitation
Details
An authenticated attacker can exploit this vulnerability by crafting a malicious id_documenti parameter in the URL to /modules/primanota/add.php. The injected SQL is executed and error messages, specifically XPATH errors, are used to extract sensitive information from the database [3]. No additional privileges beyond authentication are required.
Impact
Successful exploitation enables an attacker to extract the entire database contents, including user credentials, customer personally identifiable information (PII), and financial records [3]. This could lead to account takeover, data breaches, and financial fraud.
Mitigation
As of the advisory, no patch has been released for the vulnerable versions [3]. Users are advised to implement strict input validation on the id_documenti parameter or restrict access to the Prima Nota module until a fix is available.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devcode-it/openstamanagerPackagist | <= 2.9.8 | — |
Affected products
2- Range: <=2.9.8
- devcode-it/openstamanagerv5Range: <= 2.9.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-4j2x-jh4m-fqv6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24419ghsaADVISORY
- github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.