Description
GestSup versions up to and including 3.2.60 contain a cross-site request forgery (CSRF) vulnerability where the application does not verify the authenticity of client requests. An attacker can induce a logged-in user to submit crafted requests that perform actions with the victim's privileges. This can be exploited to create privileged accounts by targeting the administrative user creation endpoint.
References
https://gestsup.fr/index.php?page=changelog
Release Notes
https://www.vulncheck.com/advisories/gestsup-csrf-allows-privileged-actions
Third Party Advisory
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 · High
Information
Source identifier
Vulnerability status
Analyzed
Published
2026-01-09T17:15:54.750Z
5 days agoLast modified
2026-01-14T19:22:40.133Z
1 hour ago