Executive Summary

CVE-2026-24416 is a critical Time-Based Blind SQL Injection vulnerability found in OpenSTAManager versions up to and including v2.9.8. It exists in the article pricing module, specifically in the handling of the idarticolo parameter within a SQL query.

The vulnerability occurs because the idarticolo parameter is directly concatenated into a SQL query without proper sanitization or use of prepared statements, unlike other parameters. This improper handling allows attackers to inject arbitrary SQL commands.

Attackers can exploit this flaw by sending specially crafted requests that cause the database to delay responses based on injected conditions (using functions like SLEEP()). By measuring these delays, attackers can infer sensitive data from the database, such as user credentials, customer data, and financial records.

Exploitation requires authentication but has low complexity and can be performed remotely. The recommended fix is to modify the vulnerable SQL query to use prepared statements for the idarticolo parameter to prevent injection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure of sensitive data such as user credentials, customer information, and financial records.

Because it is a time-based blind SQL injection, attackers can extract complete database contents by inferring data through response delays.

The vulnerability allows attackers with low privileges (authenticated users) to perform remote attacks without user interaction, potentially compromising confidentiality, integrity, and availability of the system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the vulnerable endpoint for time-based blind SQL injection using the idarticolo GET parameter.'}, {'type': 'paragraph', 'content': 'Specifically, sending requests to the affected endpoint `/modules/articoli/ajax/complete.php?op=getprezzi` with crafted payloads in the `idarticolo` parameter that cause measurable delays can confirm the presence of the vulnerability.'}, {'type': 'list_item', 'content': "Example test payload to detect the vulnerability: `idarticolo=1 AND SUBSTRING(DATABASE(),1,1)='o' AND (SELECT 1 FROM (SELECT(SLEEP(2)))a)`"}, {'type': 'paragraph', 'content': 'By measuring response delays after sending such requests, you can infer if the SQL injection is exploitable.'}, {'type': 'paragraph', 'content': 'An automated approach involves using scripts that iterate over characters and measure response times to extract data via time-based inference.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to modify the vulnerable SQL query to use prepared statements for the `idarticolo` parameter, ensuring proper sanitization.'}, {'type': 'paragraph', 'content': 'Specifically, change the query from concatenating the `idarticolo` parameter directly into the SQL string to using a prepared statement function, for example:'}, {'type': 'list_item', 'content': "Replace `WHERE idarticolo = ' . $idarticolo . '` with `WHERE idarticolo = ' . prepare($idarticolo) . '`"}, {'type': 'paragraph', 'content': 'This fix aligns the handling of `idarticolo` with other parameters like `idanagrafica` that are already sanitized.'}, {'type': 'paragraph', 'content': 'Additionally, restrict access to the article pricing functionality to trusted authenticated users and monitor for suspicious activity involving the vulnerable endpoint.'}] [1]

Useful 0 Not Useful 0