Gestsup
Monthly
GestSup before version 3.2.60 contains a pre-authentication stored XSS vulnerability in API error logging that allows unauthenticated attackers to inject malicious scripts into log files via crafted API requests. When administrators view these logs in the web interface, the injected scripts execute in their browser with administrative privileges due to insufficient output encoding. This impacts both GestSup and PHP-based installations, enabling attackers to compromise administrator accounts without prior authentication.
GestSup versions before 3.2.60 allow authenticated attackers to execute SQL injection attacks through insufficiently sanitized filtering and sorting parameters in the asset list functionality, potentially enabling unauthorized database access or modification. The vulnerability requires valid credentials to exploit but has no available patch, leaving affected installations vulnerable to data breach or manipulation depending on database permissions.
GestSup prior to version 3.2.60 is vulnerable to SQL injection in the ticket creation feature, allowing authenticated attackers to execute arbitrary database queries through unsanitized user input. An attacker with valid credentials can read or modify sensitive database contents depending on the database permission level. No patch is currently available.
Authenticated attackers can exploit SQL injection in GestSup's search functionality (versions before 3.2.60) to manipulate database queries and access or modify sensitive data. The vulnerability stems from insufficient input validation on user-controlled search parameters in SQL statements. With no patch currently available, affected organizations should implement database access controls and monitor for suspicious search activity.
GestSup through version 3.2.60 fails to implement CSRF protections, enabling attackers to forge requests that execute actions with a victim's privileges when they visit a malicious site. An unauthenticated attacker can exploit this to create privileged administrative accounts by targeting logged-in users, with no patch currently available to remediate the vulnerability.
GestSup before version 3.2.60 contains a pre-authentication stored XSS vulnerability in API error logging that allows unauthenticated attackers to inject malicious scripts into log files via crafted API requests. When administrators view these logs in the web interface, the injected scripts execute in their browser with administrative privileges due to insufficient output encoding. This impacts both GestSup and PHP-based installations, enabling attackers to compromise administrator accounts without prior authentication.
GestSup versions before 3.2.60 allow authenticated attackers to execute SQL injection attacks through insufficiently sanitized filtering and sorting parameters in the asset list functionality, potentially enabling unauthorized database access or modification. The vulnerability requires valid credentials to exploit but has no available patch, leaving affected installations vulnerable to data breach or manipulation depending on database permissions.
GestSup prior to version 3.2.60 is vulnerable to SQL injection in the ticket creation feature, allowing authenticated attackers to execute arbitrary database queries through unsanitized user input. An attacker with valid credentials can read or modify sensitive database contents depending on the database permission level. No patch is currently available.
Authenticated attackers can exploit SQL injection in GestSup's search functionality (versions before 3.2.60) to manipulate database queries and access or modify sensitive data. The vulnerability stems from insufficient input validation on user-controlled search parameters in SQL statements. With no patch currently available, affected organizations should implement database access controls and monitor for suspicious search activity.
GestSup through version 3.2.60 fails to implement CSRF protections, enabling attackers to forge requests that execute actions with a victim's privileges when they visit a malicious site. An unauthenticated attacker can exploit this to create privileged administrative accounts by targeting logged-in users, with no patch currently available to remediate the vulnerability.