CVE-2024-50861

MEDIUM

Gestioip - XSS

Title source: rule

Description

The ip_mod_dns_key_form.cgi request in GestioIP v3.5.7 is vulnerable to Stored XSS. An attacker can inject malicious code into the "TSIG Key" field, which is saved in the database and triggers XSS when viewed, enabling data exfiltration and CSRF attacks.

Exploits (1)

exploitdb WORKING POC

by Maximiliano Belino · textremotemultiple

https://www.exploit-db.com/exploits/52201

View Code ZIP pw:eip

References (3)

[Product] http://www.gestioip.net

[Exploit, Third Party Advisory] https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50861

[Product] https://github.com/muebel/gestioip-docker-compose

Scores

CVSS v3 6.1

EPSS 0.0117

EPSS Percentile 78.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

gestioip/gestioip 3.5.7

Published Jan 14, 2025

Tracked Since Feb 18, 2026