From Search Box to Admin Control: High-Severity GestSup Vulnerabilities Expose Full System Access

Aegiron 9 mins0

GestSup – Product & Vulnerability Overview

Product: GestSup
Category: Web-based IT service management (tickets, assets, users)
Affected scope: Self-hosted GestSup instances running versions ≤ 3.2.56
Risk summary:
Four high-impact vulnerabilities allow authenticated attackers to extract or manipulate database data via SQL injection and to silently create administrator accounts through a CSRF weakness. When chained together, these flaws can lead to full system compromise.

CVE Summary Table

CVE IDVulnerabilityAttack TypeSeverityExploitabilityExploit Availability
CVE-2026-22197Asset list SQL injectionAuthenticated SQLiHighEasy once endpoint knownNo public exploit; trivial to reproduce
CVE-2026-22196Ticket creation SQL injectionAuthenticated SQLiHighEasyNo public exploit; easy manual PoC
CVE-2026-22195Search SQL injectionAuthenticated SQLiHighVery easyNo public exploit; scanner-friendly
CVE-2026-22194CSRF → admin account creationCSRF / Privilege escalationHighModerate (requires admin session)PoC trivial (HTML form)

CVE-2026-22197 – Asset List SQL Injection

What is vulnerable

The asset listing feature accepts multiple parameters (filters, sort order, pagination, search fields). These parameters are passed directly into SQL queries without strict validation or parameterization.

How exploitation works

  1. Attacker logs in with any standard GestSup account.
  2. They modify asset list request parameters (for example via browser dev tools or proxy).
  3. Malicious SQL fragments are injected and executed by the database.

What an attacker can achieve

  • Dump asset tables and related metadata
  • Enumerate users, roles, or credentials stored in the database
  • Modify or delete asset records
  • Use blind SQL techniques to slowly extract sensitive data

Educational PoC payload examples

' OR '1'='1' --
' UNION SELECT NULL,version(),current_user --
' AND SLEEP(5) --

MITRE Mapping

  • CWE-89: SQL Injection
  • ATT&CK T1190: Exploit Public-Facing Application

CVE-2026-22196 – Ticket Creation SQL Injection

What is vulnerable

User-controlled fields during ticket creation (subject, description, custom fields) are embedded into SQL statements without sufficient sanitization.

Exploitation flow

  1. Attacker creates a ticket.
  2. Injects SQL payload into a text field.
  3. Payload executes during ticket insert or validation queries.

Why this is dangerous

  • Ticket creation is commonly allowed to all users.
  • Malicious payloads may persist and affect reporting, exports, or admin views.
  • Can be used for stored SQL injection scenarios depending on backend logic.

Educational PoC payload examples

'); SELECT user(),database() --
test' UNION SELECT id,password,NULL FROM users --
' OR (SELECT COUNT(*) FROM users)>0 --

MITRE Mapping

  • CWE-89: SQL Injection
  • ATT&CK T1190

CVE-2026-22195 – Search Function SQL Injection

What is vulnerable

The global or module-specific search bar directly concatenates search input into SQL queries.

Why this one is especially risky

  • Search endpoints are heavily used.
  • Attackers can automate exploitation easily.
  • Blind SQL injection is very effective here.

Exploitation example (educational)

' OR 'a'='a' --
' UNION SELECT NULL,group_concat(username,':',password) FROM users --
' AND SUBSTRING(version(),1,1)='8' --

Impact

  • Database fingerprinting
  • Credential extraction
  • Data leakage without raising immediate errors

MITRE Mapping

  • CWE-89
  • ATT&CK T1190

CVE-2026-22194 – CSRF Leading to Admin Account Creation

What is vulnerable

The administrative user creation endpoint does not properly verify request origin and does not enforce a strong CSRF token check.

How exploitation works

  1. Attacker crafts a malicious HTML page.
  2. A logged-in GestSup administrator visits the page.
  3. The browser silently sends a forged request using the admin’s session.
  4. A new administrator account is created without the admin realizing it.

Why this is critical

  • No credentials need to be stolen.
  • The attack leaves little immediate trace.
  • Newly created admin accounts can persist indefinitely.

Educational PoC

< form action="https://gestsup[.]example/admin/users/create" method="POST">
  < input name="username" value="eviladmin">
  < input name="password" value="StrongPass123!">
  < input name="role" value="admin">
</ form>
< script>document.forms[0].submit();</ script>

MITRE Mapping

  • CWE-352: Cross-Site Request Forgery
  • ATT&CK T1190 (used as initial access enabler)

Detection & Monitoring Guidance

What to watch for

Indicators

  • Requests containing SQL keywords (UNION, SELECT, SLEEP, information_schema)
  • Repeated search or ticket submissions with unusual characters
  • Sudden spikes in database errors or slow queries
  • Queries accessing schema or metadata tables

Log sources

  • Web server access logs (URL + parameters)
  • Application logs (SQL errors, exceptions)
  • Database slow query and general logs
  • WAF / reverse proxy logs

WAF Detection Rule (Example)

SecRule REQUEST_URI|ARGS "@rx (union\s+select|information_schema|sleep\(|benchmark\(|--\s|/\*)" \
"id:200001,phase:2,deny,log,msg:'SQL injection attempt detected',severity:2"

CSRF Detection Ideas

  • Alert on new admin account creation
  • Correlate creation with:
    • Unusual referrer
    • No corresponding admin UI interaction
    • Immediate privilege usage by the new account
  • Monitor for POST requests to admin endpoints without valid CSRF tokens

How Attackers Chain These Vulnerabilities

A realistic attack path:

  1. Use search SQL injection to enumerate users.
  2. Exploit ticket or asset SQL injection to extract sensitive data.
  3. Abuse CSRF to create a stealth admin account.
  4. Maintain long-term persistence with full control.

Remediation (What You Must Do)

Immediate actions

  • Upgrade GestSup to a patched version (> 3.2.56)
  • Restrict access to admin interfaces by IP if possible
  • Ensure database user has least privilege
  • Enable HTTPS and secure cookies

Secure development controls

  • Use prepared statements everywhere
  • Strict input validation (allow-lists)
  • Enforce CSRF tokens and SameSite cookies
  • Add audit logging for admin actions

Official Patch / Upgrade Link

🔗 GestSup Official Downloads & Patches:
https://gestsup.fr/telechargements/

Final Takeaway

  • No public weaponized exploits are circulating yet, but all four vulnerabilities are easy to reproduce by anyone with basic web security knowledge.
  • These issues should be treated as actively exploitable in real environments.
  • Patch immediately and review logs for historical abuse.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.