Stored XSS viva .svg file upload in polonel/trudesk

Valid

Reported on

Mar 19th 2022

Description

The application allows .svg files to upload which lead to stored XSS

Proof of Concept

1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing and upload it on your profile.

2.Now open the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )

3.Then XSS will trigger for allowing malicious svg extension.

Video PoC

https://drive.google.com/file/d/1_KOXMP_-jMhF4jEtg6XI_NopDNp5ZRCM/view?usp=sharing

Impact

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago

Chris validated this vulnerability a year ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

SAMPRIT DAS

commented a year ago

Researcher

@admin Can you register a CVE for this?

SAMPRIT DAS

commented a year ago

Researcher

@admin

Jamie Slome

commented a year ago

Admin

Sure, @maintainer, can you please confirm whether you would like us to assign and publish a CVE for this report?

SAMPRIT DAS

commented a year ago

Researcher

@Chris @polonel @maintainer can you please reply

Chris

commented a year ago

Maintainer

Yes, you can assign and publish a CVE for this report.

SAMPRIT DAS

commented a year ago

Researcher

@admin Maintainer is agree so can you please register a CVE for this report?

Jamie Slome

commented a year ago

Admin

CVE assigned! 🎊

Please confirm the fix @maintainer, and then we will be able to publish the CVE.

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the polonel/trudesk team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the polonel/trudesk team. This report is now considered stale. a year ago

Chris marked this as fixed in v1.2.0 with commit c4b262 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

SAMPRIT DAS

commented a year ago

Researcher

@Chris @polonel @maintainer I am still able to reproduce the step for this report in the 1.2.0 version can you please also verify it from your side?

SAMPRIT DAS

commented a year ago

Researcher

you can reproduce the step by downloading this SVG payload from this drive link: https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing

and upload it in the profile Image.

SAMPRIT DAS

commented a year ago

Researcher

@admin Can you update the CVE details on NVD?

Jamie Slome

commented a year ago

Admin

Sorted 👍

to join this conversation

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago

Chris validated this vulnerability a year ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

SAMPRIT DAS

commented a year ago

Researcher

@admin Can you register a CVE for this?

SAMPRIT DAS

commented a year ago

Researcher

@admin

Jamie Slome

commented a year ago

Admin

Sure, @maintainer, can you please confirm whether you would like us to assign and publish a CVE for this report?

SAMPRIT DAS

commented a year ago

Researcher

@Chris @polonel @maintainer can you please reply

Chris

commented a year ago

Maintainer

Yes, you can assign and publish a CVE for this report.

SAMPRIT DAS

commented a year ago

Researcher

@admin Maintainer is agree so can you please register a CVE for this report?

Jamie Slome

commented a year ago

Admin

CVE assigned! 🎊

Please confirm the fix @maintainer, and then we will be able to publish the CVE.

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the polonel/trudesk team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the polonel/trudesk team. This report is now considered stale. a year ago

Chris marked this as fixed in v1.2.0 with commit c4b262 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

SAMPRIT DAS

commented a year ago

Researcher

@Chris @polonel @maintainer I am still able to reproduce the step for this report in the 1.2.0 version can you please also verify it from your side?

SAMPRIT DAS

commented a year ago

Researcher

you can reproduce the step by downloading this SVG payload from this drive link: https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing

and upload it in the profile Image.

SAMPRIT DAS

commented a year ago

Researcher

@admin Can you update the CVE details on NVD?

Jamie Slome

commented a year ago

Admin

Sorted 👍

to join this conversation