Stored XSS viva .svg file upload in polonel/trudesk

Valid

Reported on

Mar 19th 2022


Description

The application allows .svg files to upload which lead to stored XSS

Proof of Concept

1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing and upload it on your profile.

2.Now open the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )

3.Then XSS will trigger for allowing malicious svg extension.

Video PoC

https://drive.google.com/file/d/1_KOXMP_-jMhF4jEtg6XI_NopDNp5ZRCM/view?usp=sharing

Impact

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

We are processing your report and will contact the polonel/trudesk team within 24 hours. 2 months ago
Chris Brame validated this vulnerability 2 months ago
SAMPRIT DAS has been awarded the disclosure bounty
The fix bounty is now up for grabs
SAMPRIT DAS
2 months ago

Researcher


@admin Can you register a CVE for this?

SAMPRIT DAS
2 months ago

Researcher


@admin

Jamie Slome
2 months ago

Admin


Sure, @maintainer, can you please confirm whether you would like us to assign and publish a CVE for this report?

SAMPRIT DAS
2 months ago

Researcher


@Chris @polonel @maintainer can you please reply

Chris Brame
2 months ago

Maintainer


Yes, you can assign and publish a CVE for this report.

SAMPRIT DAS
2 months ago

Researcher


@admin Maintainer is agree so can you please register a CVE for this report?

Jamie Slome
2 months ago

Admin


CVE assigned! 🎊

Please confirm the fix @maintainer, and then we will be able to publish the CVE.

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the polonel/trudesk team. We will try again in 10 days. 2 months ago
We have sent a third and final fix follow up to the polonel/trudesk team. This report is now considered stale. 2 months ago
Chris Brame confirmed that a fix has been merged on c4b262 2 months ago
The fix bounty has been dropped
SAMPRIT DAS
2 months ago

Researcher


@Chris @polonel @maintainer I am still able to reproduce the step for this report in the 1.2.0 version can you please also verify it from your side?

SAMPRIT DAS
2 months ago

Researcher


you can reproduce the step by downloading this SVG payload from this drive link: https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing

and upload it in the profile Image.

SAMPRIT DAS
2 months ago

Researcher


@admin Can you update the CVE details on NVD?

Jamie Slome
2 months ago

Admin


Sorted 👍

to join this conversation