Cross-site Scripting (XSS) - Stored in polonel/trudesk

Valid

Reported on

Jun 14th 2021


💥 BUG

Stored xss using fullname

💥 IMPACT

There is no xss filter present . Using this stored xss external user can attack admin and can execute arbitary javascript code in vicitm account .

TESTED VERSION

trudesk 1.1.5

💥 STEP TO REPRODUCE

1. First goto http://localhost:8118/settings/general from admin account and grab your ticketing url http://localhost:8118/newissue .
2. Now as external user open above ticketing url and create a new ticket . During creation put bellow xss payload in fullname field .
payload-->xss"'><img src=x onerror=alert(document.domain)>

3. Now goto admin account and view the above ticket and see xss is executed.

💥 VIDEO POC

https://drive.google.com/file/d/1f4qL9FrBEB9Z-v8UnNEJL2zUBFD34o7v/view?usp=sharing

💥 STUDY

https://owasp.org/www-community/attacks/xss/
https://portswigger.net/web-security/cross-site-scripting
https://en.wikipedia.org/wiki/Cross-site_scripting
https://www.acunetix.com/websitesecurity/cross-site-scripting/

Chris Brame validated this vulnerability 6 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
nedondev submitted a
6 months ago
Chris Brame confirmed that a fix has been merged on c3c3b2 6 months ago
Chris Brame has been awarded the fix bounty