Cross-site Scripting (XSS) - Stored in polonel/trudesk

Valid

Reported on

Jun 19th 2021

✍️ Description

trudesk is vulnerable to XSS via chat.

🕵️‍♂️ Proof of Concept

  1. Send a message with the content <img src onerror=alert(document.domain)>.

PoC video

💥 Impact

JavaScript code execution.

We have contacted a member of the polonel/trudesk team and are waiting to hear back 2 years ago
Chris validated this vulnerability a year ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the polonel/trudesk team. We will try again in 10 days. a year ago
Chris
a year ago

Maintainer

This has been fixed and will release with version 1.2.3 I will update this report once released.

Chris marked this as fixed in 1.2.3 with commit b7c151 a year ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation