Skip to main content

Openstamanager CVE-2026-24415

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-03 security-advisories@github.com GHSA-jfgp-g7x7-j25j
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
PoC Detected
Mar 05, 2026 - 18:26 vuln.today
Public exploit code
CVE Published
Mar 03, 2026 - 22:16 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.

AnalysisAI

Reflected cross-site scripting in OpenSTAManager v2.9.8 and earlier allows unauthenticated attackers to inject malicious scripts through unsanitized GET parameters in invoice/order/contract modification interfaces. Public exploit code exists for this vulnerability, affecting all users of the software. An attacker can steal session tokens, perform unauthorized actions, or compromise user browsers when victims interact with crafted malicious links.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Openstamanager. OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This a

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

CVE-2026-27012 CRITICAL POC
9.8 Mar 03

Privilege escalation and auth bypass in OpenSTAManager 2.9.8. PoC available.

CVE-2025-69212 HIGH POC
8.8 Feb 06

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a cri

CVE-2025-69213 HIGH POC
8.8 Feb 04

OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior,

CVE-2025-69215 HIGH POC
8.8 Feb 04

OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior,

CVE-2025-69214 HIGH POC
8.8 Feb 06

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQ

CVE-2026-24419 MEDIUM POC
6.5 Feb 06

SQL injection in OpenSTAManager v2.9.8 and earlier allows authenticated attackers to extract sensitive data through the

CVE-2026-24418 MEDIUM POC
6.5 Feb 06

OpenSTAManager versions 2.9.8 and earlier are vulnerable to SQL injection in the Payment Schedule module's bulk operatio

CVE-2026-24417 MEDIUM POC
6.5 Feb 06

OpenSTAManager v2.9.8 and earlier allow authenticated attackers to conduct time-based SQL injection attacks through the

CVE-2026-24416 MEDIUM POC
6.5 Feb 06

OpenSTAManager v2.9.8 and earlier allows authenticated remote attackers to extract sensitive data through time-based SQL

CVE-2025-69216 MEDIUM POC
6.5 Feb 06

OpenSTAManager is an open source management software for technical assistance and invoicing. [CVSS 6.5 MEDIUM]

CVE-2023-38878 MEDIUM POC
6.1 Sep 11

A reflected cross-site scripting (XSS) vulnerability in DevCode OpenSTAManager versions 2.4.24 to 2.4.47 may allow a rem

CVE-2026-35168 HIGH
8.8 Apr 02

Arbitrary SQL execution in OpenSTAManager's database conflict resolution module allows authenticated attackers with acce

Share

CVE-2026-24415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy