CVE-2024-23167 Scanner
CVE-2024-23167 Scanner - Cross-Site Scripting (XSS) vulnerability in GestSup
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
1 week 16 hours
Scan only one
Domain, IPv4
Toolbox
-
GestSup is a widely used helpdesk and technical support management software that enables organizations to manage support tickets efficiently. It is commonly utilized by IT departments and service desk teams across various industries. The software provides features like ticketing, asset management, and reporting, making it vital for workflow management and customer support. By organizing support requests, GestSup enhances response times and resource allocation within businesses. Its usage spans small to large enterprises, making it essential in maintaining service quality. The application's flexibility and customizable features contribute to its adoption in diverse environments.
Cross-Site Scripting (XSS) is a web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This type of vulnerability typically occurs when an application includes untrusted data in a web page without validating or escaping it. An attacker can exploit XSS to execute scripts in another user's browser, leading to session hijacking, defacement, or distribution of malware. It poses a risk to website integrity and user data security. Addressing XSS is crucial as it affects both organizational reputation and user trust.
The vulnerability in GestSup is found in the calendar feature, specifically within the 'calendar.php' script. When a user adds an event to their calendar, unsanitized input allows the insertion of malicious scripts. Such input can execute in other users' browsers upon viewing the calendar, leading to possible information theft or session hijacking. The vulnerable parameter is the 'title' that interprets input without proper sanitation or restriction. This security flaw can potentially expose sensitive organizational data to attackers if exploited.
Exploiting this vulnerability can have serious repercussions, including unauthorized access to sensitive data. Attackers may retrieve or alter calendar data, steal session cookies, and impersonate legitimate users. It can also allow the distribution of malicious software through script execution, affecting user devices and compromising system security. The organization's credibility could suffer due to data breaches, and users might face privacy violations.
REFERENCES