CVE-2026-24417
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-02-06

Last updated on: 2026-02-09

Assigner: GitHub, Inc.

Description
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-09
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24417
EUVD
EUVD-2026-5624
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devcode openstamanager to 2.9.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-24417 is a critical Time-Based Blind SQL Injection vulnerability found in OpenSTAManager version 2.9.8 and earlier. It affects the global search functionality where the application improperly sanitizes the 'term' parameter used in SQL LIKE clauses across multiple search modules."}, {'type': 'paragraph', 'content': "Because the 'term' parameter is concatenated directly into SQL queries without proper escaping or use of prepared statements, attackers can inject arbitrary SQL commands. This allows them to perform time-based Boolean inference attacks by causing deliberate delays in the database responses."}, {'type': 'paragraph', 'content': 'The vulnerability impacts more than 10 modules, including Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, and Interventi. Exploitation requires authentication but no user interaction and can lead to extraction of sensitive data such as password hashes, personally identifiable information, financial records, and business secrets.'}] [1]

Impact Analysis

This vulnerability can have severe impacts including unauthorized extraction of sensitive data from the database by authenticated users with access to the global search functionality.

  • Attackers can retrieve password hashes which can be cracked offline.
  • Sensitive customer personally identifiable information (PII), financial records, and business secrets can be exposed.
  • The vulnerability can be exploited to cause denial-of-service conditions by amplifying resource consumption, leading to 504 Gateway Time-out errors.

Overall, the vulnerability compromises confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the global search functionality of OpenSTAManager, specifically by sending crafted requests to the `/ajax_search.php` endpoint with malicious payloads in the `term` GET parameter.'}, {'type': 'paragraph', 'content': 'A common detection method involves injecting time-based SQL commands such as `SLEEP(1)` into the `term` parameter and observing if the response time is significantly delayed (e.g., around 85 seconds), indicating a time-based blind SQL injection.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability (authentication required):'}, {'type': 'list_item', 'content': "curl -i -X GET 'https://target/openstamanager/ajax_search.php?term=%22%20OR%20IF(SUBSTRING((SELECT database()),1,1)='a',SLEEP(1),0)%20--%20'"}, {'type': 'paragraph', 'content': "This command attempts to inject a conditional sleep based on the database name's first character. A significant delay in response time suggests the presence of the vulnerability."}, {'type': 'paragraph', 'content': 'Note that the vulnerability requires authentication and low privileges, so the testing user must be logged in.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Restrict access to the global search functionality and the `/ajax_search.php` endpoint to only trusted and authenticated users.'}, {'type': 'list_item', 'content': 'Apply the recommended fix by replacing all direct concatenations of the `term` parameter in SQL queries with parameterized queries using prepared statements to prevent SQL injection.'}, {'type': 'list_item', 'content': "Specifically, update the vulnerable code to use parameterized queries, for example: `$query .= ' OR ' . $value . ' LIKE ' . prepare('%' . $term . '%');`."}, {'type': 'list_item', 'content': 'Monitor for unusual delays or 504 Gateway Time-out errors which may indicate exploitation attempts.'}, {'type': 'list_item', 'content': 'If possible, upgrade to a fixed version of OpenSTAManager once available.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24417. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart