We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

XSS Stored in Caption Image in osticket/osticket

Valid

Reported on

Mar 10th 2023

Description

Hello team, I found an xss stored in the caption field as demonstrated in the gif below.

Proof of Concept

Alt Text

Impact

As Result this allow an attacker to steal user session , takeover user account , make redirect user to attacker controlled site

We are processing your report and will contact the osticket team within 24 hours. 6 months ago
We have contacted a member of the osticket team and are waiting to hear back 6 months ago
JediKev
6 months ago

Maintainer

@cupc4k3

Thank you for the report. We will review this and get back to you with our feedback as soon as possible.

Cheers.

JediKev
6 months ago

Maintainer

@cupc4k3

Please test the below patch and confirm the Caption option no longer exists which should fully mitigate the vulnerability:

diff --git a/js/redactor-osticket.js b/js/redactor-osticket.js
index 032dca55..77bd6121 100644
--- a/js/redactor-osticket.js
+++ b/js/redactor-osticket.js
@@ -59,6 +59,7 @@
             // and will be configured locally in the afterUpateDraft()
             this.opts.clipboardUpload =
             this.opts.imageUpload = this.autoCreateUrl + '/attach';
+            this.opts.imageCaption = false;
         }
         this.opts.autosaveData = {
             '__CSRFToken__': $("meta[name=csrf_token]").attr("content")
@@ -81,6 +82,7 @@
         this.opts.clipboardUpload =
         this.opts.imageUpload =
             'ajax.php/draft/' + draft_id + '/attach';
+        this.opts.imageCaption = false;
 
         // Add [Delete Draft] button to the toolbar
         if (this.opts.draftDelete) {
@@ -198,6 +200,7 @@
                 self.opts.autosave = self.autoCreateUrl;
                 self.opts.clipboardUpload =
                 self.opts.imageUpload = self.autoCreateUrl + '/attach';
+                self.opts.imageCaption = false;
                 self.deleteButton.hide();
                 self.saveButton.hide();
                 self.app.broadcast('draft.deleted');
@@ -380,6 +383,7 @@ $(function() {
                   ? ['imagemanager','definedlinks']
                   : ['imagemanager','table','video','definedlinks','autolock', 'fontcolor', 'fontfamily'],
                 'imageUpload': el.hasClass('draft'),
+                'imageCaption': false,
                 'imageManagerJson': 'ajax.php/draft/images/browse',
                 'imagePosition': true,
                 'imageUploadData': {

Cheers.

CUPCΛKΣ
6 months ago

Researcher

Hi @jedikev

I performed the test and the caption option was removed mitigating the vulnerability completely.

CUPCΛKΣ
6 months ago

Researcher

Hello team, any news?

osticket/osticket maintainer
6 months ago

Maintainer

The vulnerability is valid and we have supplied our initial patch. You've confirmed the patch now you must wait for us to release a new version with the patch applied. This should be in the coming weeks. Once we release a new version I will mark this as valid and complete it. At that point a CVE can be assigned.

TLDR; You are now waiting for us to release a new version to the public.

JediKev validated this vulnerability 3 months ago
CUPCΛKΣ has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
JediKev marked this as fixed in v1.17.4 with commit ca3063 3 months ago
JediKev has been awarded the fix bounty
This vulnerability will not receive a CVE
JediKev published this vulnerability 3 months ago
to join this conversation