takeover through password recovery functionality on Gestsup
Gestsup versions from 3.146 to 3.2.9 are vulnerable.
The issue was fixed on version 3.2.10.
who knows the email addresses of the users of the Gestsup application, could use the password recovery feature
to compromise user accounts.
recovery tokens are not sufficiently unique, the web application uses a PHP "uniqueid" function that does not generate
cryptographically secure values. As a result, an attacker could request the
password recovery of a user and guess the recovery token by performing a brute
force attack is possible because a portion of the "uniqueid" token is guessable (PHP "uniqueid" function uses the system's clock to generate the
tokens), and because tokens do not expire and the application does not implement
any protection, such as captcha challenges or rate
below shows the vulnerable source code:
could compromise the accounts of the users of the Gestsup application and carry out more advanced attacks with
the information of the customers or the users of the
- 2021-04 Maltem discovers the vulnerability.
- 2021-04 Maltem notifies vendor.
- 2021-04 Vendor fixes the vulnerability.
- 2021-04 Maltem publishes the vulnerability.