Exploit for Cross-site Scripting in Devcode Openstamanager CVE-2026-24415

## https://sploitus.com/exploit?id=F33F0F9C-D75E-527A-A996-CE53E9BA3624
# CVE-2026-24415: OpenSTAManager Affected by XSS in modifica_iva.php via righe parameter

## Overview

| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-24415 |
| **Vulnerability Type** | Cross-Site Scripting (XSS) |
| **Severity** | MEDIUM |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Description

### Summary

Multiple Reflected Cross-Site Scripting (XSS) vulnerabilities in OpenSTAManager v2.9.8 allow unauthenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers through crafted URL parameters, potentially leading to session hijacking, credential theft, and unauthorized actions.

**Vulnerable Parameter:** `righe` (GET)

### Details

OpenSTAManager v2.9.8 contains multiple Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the `righe` GET parameter before reflecting it in HTML output.

**Vulnerable Code Location:**
File: `/modules/contratti/modals/modifica_iva.php` (Line 125)

```php
<input type="hidden" name="righe" value="<?php echo $_GET['righe']; ?...

## Affected Products

- **devcode-it/openstamanager** (versions: < 2.9.8)


## CWE Classification

- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


## References

- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-jfgp-g7x7-j25j
- https://nvd.nist.gov/vuln/detail/CVE-2026-24415
- https://github.com/advisories/GHSA-jfgp-g7x7-j25j


## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.