Openstamanager
CVE-2026-24415
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.
Articles & Coverage 1
AnalysisAI
Reflected cross-site scripting in OpenSTAManager v2.9.8 and earlier allows unauthenticated attackers to inject malicious scripts through unsanitized GET parameters in invoice/order/contract modification interfaces. Public exploit code exists for this vulnerability, affecting all users of the software. An attacker can steal session tokens, perform unauthorized actions, or compromise user browsers when victims interact with crafted malicious links.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Openstamanager. OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This a
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
More in Openstamanager
View allPrivilege escalation and auth bypass in OpenSTAManager 2.9.8. PoC available.
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a cri
OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior,
OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior,
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQ
SQL injection in OpenSTAManager v2.9.8 and earlier allows authenticated attackers to extract sensitive data through the
OpenSTAManager versions 2.9.8 and earlier are vulnerable to SQL injection in the Payment Schedule module's bulk operatio
OpenSTAManager v2.9.8 and earlier allow authenticated attackers to conduct time-based SQL injection attacks through the
OpenSTAManager v2.9.8 and earlier allows authenticated remote attackers to extract sensitive data through time-based SQL
OpenSTAManager is an open source management software for technical assistance and invoicing. [CVSS 6.5 MEDIUM]
A reflected cross-site scripting (XSS) vulnerability in DevCode OpenSTAManager versions 2.4.24 to 2.4.47 may allow a rem
Arbitrary SQL execution in OpenSTAManager's database conflict resolution module allows authenticated attackers with acce
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jfgp-g7x7-j25j