CVE-2026-24415 is a reflected Cross-site Scripting (XSS) vulnerability identified in OpenSTAManager, an open-source management software used for technical assistance and invoicing. The vulnerability exists in versions 2.9.8 and earlier, specifically within the invoice, order, and contract modification modal dialogs. The root cause is the failure to properly sanitize user input from the 'righe' GET parameter before reflecting it in the HTML output. The parameter is directly echoed into an HTML attribute value without applying encoding functions such as htmlspecialchars(), allowing attackers to break out of the attribute context and inject arbitrary HTML or JavaScript code. This reflected XSS can be exploited by crafting malicious URLs that, when visited by authenticated or unauthenticated users, execute attacker-controlled scripts in the victim's browser context. The vulnerability does not require authentication but does require user interaction (clicking a malicious link). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required for initial access, but user interaction is needed to trigger the XSS. The impact affects confidentiality and integrity partially, with no direct availability impact. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions and data within OpenSTAManager. Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, theft of sensitive information such as authentication tokens or personal data, unauthorized actions performed on behalf of the user, or redirection to malicious websites. Since OpenSTAManager is used for invoicing and technical assistance management, attackers could manipulate financial or contractual data or disrupt business operations by misleading users. Although the vulnerability requires user interaction, phishing or social engineering campaigns could facilitate exploitation. The reflected nature limits persistent impact but still poses significant risk to users who access maliciously crafted URLs. Organizations relying on OpenSTAManager may face reputational damage, financial loss, and regulatory compliance issues if sensitive data is compromised. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as public disclosure may prompt attackers to develop exploits.

To mitigate CVE-2026-24415, organizations should immediately review and update their OpenSTAManager installations to versions beyond 2.9.8 once patches become available. In the absence of official patches, apply input validation and output encoding best practices by ensuring all user-supplied input, especially the 'righe' GET parameter, is properly sanitized using functions like htmlspecialchars() or equivalent before rendering in HTML contexts. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Educate users about the risks of clicking untrusted links and employ email filtering to detect phishing attempts. Additionally, monitor web application logs for suspicious requests containing unusual or encoded input in the 'righe' parameter. Consider deploying Web Application Firewalls (WAFs) with rules targeting reflected XSS payloads specific to OpenSTAManager. Regular security assessments and code reviews should be conducted to identify and remediate similar input validation issues proactively.