GestSup Pre-Authentication Stored Cross-Site Scripting Vulnerability in API Error Logging

A stored cross-site scripting vulnerability has been identified in GestSup versions 3.2.56 and prior. This issue resides in the API error logging feature, where an unauthenticated attacker can inject malicious HTML or JavaScript. By sending an API request with a manipulated X-API-KEY header to endpoints like /api/v1/ticket.php, the injected script is logged without proper encoding. When an administrator accesses these logs through the web interface, the malicious content is executed in the administrator's browser session, potentially leading to unauthorized actions or data exposure.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the logs, such as an administrator.

Reproduction

To reproduce this vulnerability, send an API request to the GestSup server with a crafted X-API-KEY header. This can be done using tools like curl or Postman. The request should be directed to the /api/v1/ticket.php endpoint. Once the injected script is logged, an administrator can view the logs through the web interface, where the script will be executed in their browser.

Remediation

Users are advised to update to GestSup version 3.2.59 or later, where this vulnerability has been addressed.