Description
GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session.
Published: 2026-01-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary script execution in an administrator’s browser session via stored XSS
Action: Immediate Patch
AI Analysis

Impact

GestSup versions prior to 3.2.60 allow an attacker to inject attacker‑controlled HTML or JavaScript into API error logs by sending a crafted X‑API‑KEY header with an unauthenticated request. The injected payload is stored and later rendered in the web interface without proper output encoding, enabling arbitrary script execution in the administrators’ browser, which can lead to session hijacking or other malicious actions.

Affected Systems

The vulnerability affects the GestSup product, specifically all releases prior to version 3.2.60. No other products or vendors are listed as affected.

Risk and Exploitability

The CVSS score of 5.1 classifies the issue as moderate severity, while the EPSS score of less than 1 % indicates a very low likelihood of exploitation at the time of analysis and the vulnerability is not listed in the CISA KEV catalog. The attack can be performed from any network location without authentication, typically by forging an HTTP request to the API endpoint (e.g., /api/v1/ticket.php). Because the payload is stored and executed only when an administrator views the log entries, the window of exploitation is limited to when privileged users access the logs. Nonetheless, the potential for compromising an admin session remains.

Generated by OpenCVE AI on April 16, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GestSup to version 3.2.60 or later to remove the stored XSS flaw.
  • If an upgrade is not immediately possible, configure the application to disable or properly sanitize API error logging so that any stored payload is escaped or omitted before display.
  • Monitor error logs for anomalous entries containing scripts or unusual X‑API‑KEY values and investigate any suspicious activity.

Generated by OpenCVE AI on April 16, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gestsup:gestsup:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 14 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description GestSup versions up to and including 3.2.56 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session. GestSup versions prior to 3.2.60 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session.
Title GestSup <= 3.2.56 Stored XSS in API Error Logs GestSup < 3.2.60 Stored XSS in API Error Logs

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Gestsup
Gestsup gestsup
Vendors & Products Gestsup
Gestsup gestsup

Fri, 09 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description GestSup versions up to and including 3.2.56 contain a pre-authentication stored cross-site scripting (XSS) vulnerability in the API error logging functionality. By sending an API request with a crafted X-API-KEY header value (for example, to /api/v1/ticket.php), an unauthenticated attacker can cause attacker-controlled HTML/JavaScript to be written to log entries. When an administrator later views the affected logs in the web interface, the injected content is rendered without proper output encoding, resulting in arbitrary script execution in the administrator’s browser session.
Title GestSup <= 3.2.56 Stored XSS in API Error Logs
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gestsup Gestsup
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:15.900Z

Reserved: 2026-01-06T16:47:17.184Z

Link: CVE-2026-22198

cve-icon Vulnrichment

Updated: 2026-01-09T17:47:53.707Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-09T17:15:55.310

Modified: 2026-01-14T19:43:12.993

Link: CVE-2026-22198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:30:10Z

Weaknesses