OpenSTAManager, an open-source software for technical assistance and invoicing, suffers from a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-24415. The vulnerability exists in versions 2.9.8 and earlier, specifically within invoice, order, and contract modification modals. The root cause is the failure to properly sanitize user input from the 'righe' GET parameter before reflecting it in the HTML output. The parameter's value is directly inserted into an HTML attribute without applying htmlspecialchars() or equivalent escaping functions, enabling an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript code. This reflected XSS can be exploited by crafting malicious URLs that, when visited by a user, execute attacker-controlled scripts in the victim's browser context. The CVSS 4.0 vector indicates that the attack requires no privileges and no authentication but does require user interaction (clicking a malicious link). The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or unauthorized actions performed on behalf of the user. Availability impact is low. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly.

The primary impact of CVE-2026-24415 is the potential for attackers to execute arbitrary JavaScript in the context of a victim's browser session when interacting with OpenSTAManager's vulnerable modals. This can lead to session hijacking, theft of sensitive information such as authentication tokens, unauthorized actions performed with the victim's privileges, and phishing or social engineering attacks via content manipulation. Organizations relying on OpenSTAManager for invoicing and technical assistance management risk exposure of sensitive business data and user credentials. Although the vulnerability requires user interaction, the ease of exploitation through crafted URLs makes it a significant risk, especially in environments where users may be less security-aware. The medium CVSS score reflects moderate impact and exploitability. If exploited at scale, it could disrupt business operations and damage organizational reputation.

To mitigate this vulnerability, organizations should immediately update OpenSTAManager to a version that properly sanitizes and encodes user input, if such a patch is available. In the absence of an official patch, implement the following specific measures: 1) Apply strict input validation on the 'righe' GET parameter to allow only expected characters or numeric values. 2) Use proper output encoding functions such as htmlspecialchars() with appropriate flags to escape user input before embedding it into HTML attributes. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. 4) Educate users to avoid clicking suspicious links and implement email filtering to reduce phishing attempts. 5) Monitor web server logs for unusual requests targeting the vulnerable parameters. 6) Consider deploying Web Application Firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting OpenSTAManager endpoints. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable parameter and context.