GestioIP 3.5.7 - Stored Cross-Site Scripting Vulnerability

vendor:

GestioIP

by:

m4xth0r (Maximiliano Belino)

6.1

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: GestioIP

Affected Version From: 3.5.2007

Affected Version To: 3.5.2007

Patch Exists: NO

Related CWE: CVE-2024-50861

CPE: a:gestioip:gestioip:3.5.7

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2025

GestioIP 3.5.7 – Stored Cross-Site Scripting Vulnerability

The feature 'http://localhost/gestioip/res/ip_mod_dns_key_form.cgi' in GestioIP 3.5.7 is susceptible to Stored XSS. An authenticated attacker can inject malicious code into the 'tsig_key' form field, which when saved to the database, can be triggered by any user accessing the 'DNS Key' page, resulting in the execution of malicious code.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user inputs to prevent the injection of malicious scripts. Regular security assessments and code reviews can help in identifying and addressing such vulnerabilities.

Source

GestioIP 3.5.7 – Stored Cross-Site Scripting Vulnerability

Mitigation:

Exploit-DB raw data: