GestioIP Cross-Site Scripting Vulnerability in IP Do Job Request

A Cross-Site Scripting (XSS) vulnerability has been identified in GestioIP version 3.5.7. The issue arises in the 'ip_do_job' request, where improper handling of user input allows for the injection of malicious scripts. This vulnerability not only facilitates XSS but also enables Cross-Site Request Forgery (CSRF) attacks and requires specific user permissions within the application for successful exploitation.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting (XSS) attacks, where an attacker can inject malicious scripts that are executed in the context of the user's browser. Additionally, the vulnerability enables Cross-Site Request Forgery (CSRF) attacks, potentially allowing an attacker to perform actions on behalf of the user without their consent.

Reproduction

To reproduce this vulnerability, log into GestioIP version 3.5.7 with an account that has the necessary permissions. Once logged in, send a request to the 'ip_do_job' endpoint with crafted data that includes the malicious script. The injected script will be executed in the user's browser, demonstrating the Cross-Site Scripting vulnerability.