CVE-2026-24417
published 2026-02-06CVE-2026-24417: OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based…
PriorityP345medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.37%
28.4th percentile
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devcode-it | openstamanager | <= 2.9.8 | — |
| devcode | openstamanager | <= 2.9.8 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service
osv·2026-02-06
CVE-2026-24417 [HIGH] OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service
OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service
### Summary
Critical Time-Based Blind SQL Injection vulnerability affecting **multiple search modules** in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with **amplified execution** across 10+ modules.
**Status:** ✅ Confirmed and tested on live instance (v2.9.8)
**Vulnerable Parameter:** `term` (GET)
**Affected Endpoint:** `/ajax_search.php`
**Affected Modules:** Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi
### Details
OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vuln
GHSA
OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service
ghsa·2026-02-06
CVE-2026-24417 [HIGH] CWE-89 OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service
OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service
### Summary
Critical Time-Based Blind SQL Injection vulnerability affecting **multiple search modules** in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with **amplified execution** across 10+ modules.
**Status:** ✅ Confirmed and tested on live instance (v2.9.8)
**Vulnerable Parameter:** `term` (GET)
**Affected Endpoint:** `/ajax_search.php`
**Affected Modules:** Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi
### Details
OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vuln
No detection rules found.
No public exploits indexed.
2026-02-06
Published