CVE-2026-22198
📋 TL;DR
This CVE describes a pre-authentication stored XSS vulnerability in GestSup's API error logging functionality. Unauthenticated attackers can inject malicious scripts into log entries, which execute when administrators view those logs in the web interface. This affects all GestSup installations prior to version 3.2.60.
💻 Affected Systems
- GestSup
📦 What is this software?
Gestsup by Gestsup
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as administrators (create/delete tickets, modify configurations), or redirect administrators to malicious sites.
Likely Case
Attackers would steal administrator session cookies to gain unauthorized access to the GestSup administration interface.
If Mitigated
With proper output encoding and input validation, the malicious scripts would be rendered as harmless text rather than executable code.
🎯 Exploit Status
Exploitation requires sending crafted API requests and waiting for administrator log viewing, but the attack vector is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.60
Vendor Advisory: https://gestsup.fr/index.php?page=changelog
Restart Required: No
Instructions:
1. Backup your GestSup installation and database. 2. Download version 3.2.60 or later from the official GestSup website. 3. Replace the existing installation files with the updated version. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable API Access
allTemporarily disable API endpoints or restrict access to trusted IP addresses only.
# Configure web server (Apache/Nginx) to block /api/ paths or restrict by IP
Implement WAF Rules
allAdd web application firewall rules to detect and block XSS payloads in API headers.
# Example ModSecurity rule: SecRule REQUEST_HEADERS:X-API-KEY "@detectXSS" "id:1001,phase:1,deny"
🧯 If You Can't Patch
- Restrict access to the GestSup web interface to trusted administrator IP addresses only.
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
🔍 How to Verify
Check if Vulnerable:
Check if your GestSup version is below 3.2.60 by examining the version in the web interface or configuration files.Check Version:
Check the GestSup web interface footer or examine the includes/version.php file for version information.Verify Fix Applied:
After updating to 3.2.60 or later, verify the version displays correctly and test that XSS payloads in API headers are properly sanitized in logs.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests with JavaScript or HTML tags in X-API-KEY headers
- Multiple failed API authentication attempts from single sources
Network Indicators:
- HTTP requests to /api/v1/ticket.php with suspicious header content
- Outbound connections from GestSup server to unknown external IPs after log viewing
SIEM Query:
source="gestsup" AND (uri_path="/api/v1/ticket.php" AND http_header="X-API-KEY" CONTAINS "<script>" OR "javascript:")