OpenSTAManager Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in OpenSTAManager versions prior to 2.9.8. This issue allows unauthenticated attackers to execute arbitrary JavaScript in the context of other users' browsers, potentially leading to session hijacking, credential theft, and unauthorized actions. The vulnerability arises because the application fails to properly sanitize user input from the 'righe' GET parameter before reflecting it in the HTML output of several modification modal files. As a result, an attacker can inject malicious scripts that are executed when the crafted URL is accessed.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected JavaScript is executed in the context of the user's browser. This could lead to session cookie theft, allowing for full account takeover, and the ability to perform actions on behalf of the victim, such as creating, modifying, or deleting records. Additionally, stolen CSRF tokens could be used to bypass CSRF protection.

Reproduction

To reproduce this vulnerability, log into an affected instance of OpenSTAManager version 2.9.8 with valid admin credentials. Then, navigate to one of the vulnerable modification modal URLs, such as the invoice modification modal, and append a crafted 'righe' parameter that includes a script injection payload, such as a script tag with JavaScript code. The injected script will execute in the context of the user's browser, demonstrating the cross-site scripting vulnerability.

Remediation

To address this vulnerability, sanitize the 'righe' GET parameter using 'htmlspecialchars()' or an equivalent function before echoing it into the HTML output. This fix should be applied to all affected files.