Cross-site Scripting (XSS) - Stored in polonel/trudesk

Valid

Reported on

Jun 14th 2021


💥 BUG

Stored xss using ticket content in markdown

💥 IMPACT

There is no xss filter present . Using this stored xss external user can attack admin and can execute arbitary javascript code in vicitm account .

TESTED VERSION

trudesk 1.1.5

💥 STEP TO REPRODUCE

1. First goto http://localhost:8118/settings/general from admin account and grab your ticketing url http://localhost:8118/newissue .
2. Now as external user open above ticketing url and create a new ticket . During creation put bellow xss payload in as ticket content .
[click_Me](javascript:alert(document.domain))

3. Now goto admin account and view the above ticket and click the link and see xss is executed. So, any external user can make xss attack and can execute arbitary javascript code execution in victim trudesk account.
Thus attacker can read victim all ticket details or perform other operation

💥 VIDEO

https://drive.google.com/file/d/1kxHMq5Fp45VBJISE2Gp2ZtwryR-PKn9n/view?usp=sharing

💥 STUDY

https://owasp.org/www-community/attacks/xss/
https://portswigger.net/web-security/cross-site-scripting
https://en.wikipedia.org/wiki/Cross-site_scripting
https://www.acunetix.com/websitesecurity/cross-site-scripting/

Chris Brame validated this vulnerability 6 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chris Brame confirmed that a fix has been merged on 58c90d 6 months ago
Chris Brame has been awarded the fix bounty