CVE-2026-24418
BaseFortify
Publication date: 2026-02-06
Last updated on: 2026-02-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devcode | openstamanager | to 2.9.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-24418 is a critical Error-Based SQL Injection vulnerability found in OpenSTAManager version 2.9.8 and earlier, specifically in the Scadenzario (Payment Schedule) bulk operations module.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause. Instead, user-supplied values are directly concatenated into the SQL query without proper sanitization or type checking.'}, {'type': 'paragraph', 'content': "This flaw allows authenticated attackers to inject arbitrary SQL commands by sending malicious payloads via the id_records[] POST parameter. The injection exploits error messages generated by the database's XPATH functions to extract sensitive data."}, {'type': 'paragraph', 'content': 'As a result, attackers can retrieve complete database contents including user credentials, customer personally identifiable information (PII), and financial records.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full disclosure of sensitive data stored in the OpenSTAManager database.
- Attackers can extract user credentials, allowing unauthorized access to user accounts.
- Customer personally identifiable information (PII) can be exposed, risking privacy breaches.
- Financial records can be accessed, potentially leading to financial fraud or data manipulation.
The attack requires only authenticated access and no user interaction, making it relatively easy for attackers with valid credentials to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /actions.php?id_module=18 that include the id_records[] parameter with non-integer or malicious payloads.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze HTTP POST traffic targeting the Scadenzario bulk operations module, looking for unusual SQL error messages or XPATH error messages in responses that indicate attempted SQL injection.'}, {'type': 'paragraph', 'content': 'Example commands to detect potential exploitation attempts include using curl or tools like Burp Suite to send crafted POST requests with id_records[] containing SQL injection payloads and observing error responses.'}, {'type': 'list_item', 'content': "curl -X POST 'http://<target>/actions.php?id_module=18' -d 'id_records[]=1&id_records[]=2' -v"}, {'type': 'list_item', 'content': "curl -X POST 'http://<target>/actions.php?id_module=18' -d 'id_records[]=1&id_records[]=1 OR 1=1' -v"}, {'type': 'paragraph', 'content': 'Monitoring web server logs for POST requests to this endpoint with unusual id_records[] values or error messages containing XPATH syntax errors can also help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing strict input validation on the id_records[] parameter to ensure all elements are positive integers before they are used in SQL queries.'}, {'type': 'paragraph', 'content': 'Specifically, modify the code handling id_records[] to sanitize and validate inputs, for example by applying intval conversion and filtering out non-positive values.'}, {'type': 'list_item', 'content': "Use code similar to: $id_records = array_map('intval', $id_records); $id_records = array_filter($id_records, fn($id) => $id > 0);"}, {'type': 'paragraph', 'content': 'Additionally, avoid directly concatenating user input into SQL queries; instead, use parameterized queries or prepared statements to prevent SQL injection.'}, {'type': 'paragraph', 'content': 'Restrict access to the Scadenzario bulk operations module to only trusted authenticated users until a patch or update is available.'}, {'type': 'paragraph', 'content': 'Monitor for suspicious activity and consider temporarily disabling the vulnerable module if possible.'}] [1]