Cross-site Scripting (XSS) - Stored in polonel/trudesk

Valid

Reported on

Jun 19th 2021


✍️ Description

trudesk is vulnerable to XSS via chat.

🕵️‍♂️ Proof of Concept

  1. Send a message with the content <img src onerror=alert(document.domain)>.

PoC video

💥 Impact

JavaScript code execution.

We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago
Chris Brame validated this vulnerability a month ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a month ago
We have sent a second fix follow up to the polonel/trudesk team. We will try again in 10 days. a month ago
Chris Brame
a month ago

Maintainer


This has been fixed and will release with version 1.2.3 I will update this report once released.

Chris Brame confirmed that a fix has been merged on b7c151 a month ago
Chris Brame has been awarded the fix bounty
to join this conversation