GHSA-4xwv-49c8-fvhq

Summary

Critical Error-Based SQL Injection vulnerability in the Scadenzario (Payment Schedule) bulk operations module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages.

Status: ✅ Confirmed and tested on live instance (v2.9.8) Vulnerable Parameter: id_records[] (POST array) Affected Endpoint: /actions.php?id_module=18 (Scadenzario module) Attack Type: Error-Based SQL Injection (IN clause)

Details

OpenSTAManager v2.9.8 contains a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.

Vulnerability Chain:

1. Entry Point: /actions.php (Lines 503-506)

   $id_records = post('id_records');
   $id_records = is_array($id_records) ? $id_records : explode(';', $id_records);
   $id_records = array_clean($id_records);
   $id_records = array_unique($id_records);
   

   The array_clean() function only removes empty values - it does NOT validate types.

2. Vulnerable Function: /lib/util.php (Lines 54-60)

   function array_clean($array)
   {
       if (!empty($array)) {
           return array_unique(array_values(array_filter($array, fn ($value) => !empty($value))));
       }
   }
   

   Impact: The function filters out empty values but accepts any non-empty value, including SQL Injection payloads.

3. SQL Injection Point: /modules/scadenzario/bulk.php (Line 88) PRIMARY VULNERABILITY

   $scadenze = $database->FetchArray('SELECT * FROM co_scadenziario LEFT JOIN (SELECT id as id_nota, ref_documento FROM co_documenti)as nota ON...