Vulnerability Description
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Devcode | Openstamanager | <= 2.9.8 |
Related Weaknesses (CWE)
References
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-jfgp-g7x7-ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-24415?
CVE-2026-24415 is a vulnerability with a CVSS score of 6.1 (MEDIUM). OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modifica...
How severe is CVE-2026-24415?
CVE-2026-24415 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-24415?
Check the references section above for vendor advisories and patch information. Affected products include: Devcode Openstamanager.