CVE-2026-24417
BaseFortify
Publication date: 2026-02-06
Last updated on: 2026-02-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devcode | openstamanager | to 2.9.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-24417 is a critical Time-Based Blind SQL Injection vulnerability found in OpenSTAManager version 2.9.8 and earlier. It affects the global search functionality where the application improperly sanitizes the 'term' parameter used in SQL LIKE clauses across multiple search modules."}, {'type': 'paragraph', 'content': "Because the 'term' parameter is concatenated directly into SQL queries without proper escaping or use of prepared statements, attackers can inject arbitrary SQL commands. This allows them to perform time-based Boolean inference attacks by causing deliberate delays in the database responses."}, {'type': 'paragraph', 'content': 'The vulnerability impacts more than 10 modules, including Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, and Interventi. Exploitation requires authentication but no user interaction and can lead to extraction of sensitive data such as password hashes, personally identifiable information, financial records, and business secrets.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized extraction of sensitive data from the database by authenticated users with access to the global search functionality.
- Attackers can retrieve password hashes which can be cracked offline.
- Sensitive customer personally identifiable information (PII), financial records, and business secrets can be exposed.
- The vulnerability can be exploited to cause denial-of-service conditions by amplifying resource consumption, leading to 504 Gateway Time-out errors.
Overall, the vulnerability compromises confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the global search functionality of OpenSTAManager, specifically by sending crafted requests to the `/ajax_search.php` endpoint with malicious payloads in the `term` GET parameter.'}, {'type': 'paragraph', 'content': 'A common detection method involves injecting time-based SQL commands such as `SLEEP(1)` into the `term` parameter and observing if the response time is significantly delayed (e.g., around 85 seconds), indicating a time-based blind SQL injection.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability (authentication required):'}, {'type': 'list_item', 'content': "curl -i -X GET 'https://target/openstamanager/ajax_search.php?term=%22%20OR%20IF(SUBSTRING((SELECT database()),1,1)='a',SLEEP(1),0)%20--%20'"}, {'type': 'paragraph', 'content': "This command attempts to inject a conditional sleep based on the database name's first character. A significant delay in response time suggests the presence of the vulnerability."}, {'type': 'paragraph', 'content': 'Note that the vulnerability requires authentication and low privileges, so the testing user must be logged in.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Restrict access to the global search functionality and the `/ajax_search.php` endpoint to only trusted and authenticated users.'}, {'type': 'list_item', 'content': 'Apply the recommended fix by replacing all direct concatenations of the `term` parameter in SQL queries with parameterized queries using prepared statements to prevent SQL injection.'}, {'type': 'list_item', 'content': "Specifically, update the vulnerable code to use parameterized queries, for example: `$query .= ' OR ' . $value . ' LIKE ' . prepare('%' . $term . '%');`."}, {'type': 'list_item', 'content': 'Monitor for unusual delays or 504 Gateway Time-out errors which may indicate exploitation attempts.'}, {'type': 'list_item', 'content': 'If possible, upgrade to a fixed version of OpenSTAManager once available.'}] [1]