XSS Stored in Email in osticket/osticket

Valid

Reported on

Dec 4th 2022

Description

It was discovered that it is possible to inject a malicious payload into the email address field, resulting in a stored XSS vulnerability.

Proof of Concept

1. Access to emails parameters `/scp/emails.php`

2. create an account with the following email address

Payload test+(<script>alert(document.domain)</script>)@gmail.com

it works with all email account because they will be put in the drop-down list

3. Once the account is created, navigate to the settings section of emails

4. XSS is executed

Impact

If exploited, this vulnerability could allow an attacker to inject malicious JavaScript code into the email address field This could potentially lead to unauthorized access to sensitive information, such as passwords and personal data.

References

OWASP

We are processing your report and will contact the osticket team within 24 hours. 4 months ago

We have contacted a member of the osticket team and are waiting to hear back 4 months ago

A osticket/osticket maintainer

commented 4 months ago

Maintainer

Thank you for the report. I will verify this and provide an update soon.

JediKev

commented 2 months ago

Maintainer

@edr4

Can you please test this patch to see if it fully mitigates the vulnerability?

diff --git a/include/class.email.php b/include/class.email.php
index bc4943c6..7843a446 100644
--- a/include/class.email.php
+++ b/include/class.email.php
@@ -334,12 +334,12 @@ class Email extends VerySimpleModel {
         if ($errors) return false;
 
         // Update basic settings
-        $this->email = $vars['email'];
+        $this->email = Format::sanitize($vars['email']);
         $this->name = Format::striptags($vars['name']);
-        $this->dept_id = $vars['dept_id'];
-        $this->priority_id = isset($vars['priority_id']) ? $vars['priority_id'] : '0';
-        $this->topic_id = $vars['topic_id'];
-        $this->noautoresp = $vars['noautoresp'];
+        $this->dept_id = (int) $vars['dept_id'];
+        $this->priority_id = (int) (isset($vars['priority_id']) ? $vars['priority_id'] : 0);
+        $this->topic_id = (int) $vars['topic_id'];
+        $this->noautoresp = (int) $vars['noautoresp'];
         $this->notes = Format::sanitize($vars['notes']);
 
         if ($this->save())

Cheers.

Edra

commented 2 months ago

Researcher

sorry for my late reply I tested it and it corrects the vunerability well

JediKev validated this vulnerability 21 days ago

Edra has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

JediKev marked this as fixed in v1.16.6 with commit 091ddb 21 days ago

JediKev has been awarded the fix bounty

This vulnerability has been assigned a CVE

JediKev published this vulnerability 21 days ago

to join this conversation

We are processing your report and will contact the osticket team within 24 hours. 4 months ago

We have contacted a member of the osticket team and are waiting to hear back 4 months ago

A osticket/osticket maintainer

commented 4 months ago

Maintainer

Thank you for the report. I will verify this and provide an update soon.

JediKev

commented 2 months ago

Maintainer

@edr4

Can you please test this patch to see if it fully mitigates the vulnerability?

diff --git a/include/class.email.php b/include/class.email.php
index bc4943c6..7843a446 100644
--- a/include/class.email.php
+++ b/include/class.email.php
@@ -334,12 +334,12 @@ class Email extends VerySimpleModel {
         if ($errors) return false;
 
         // Update basic settings
-        $this->email = $vars['email'];
+        $this->email = Format::sanitize($vars['email']);
         $this->name = Format::striptags($vars['name']);
-        $this->dept_id = $vars['dept_id'];
-        $this->priority_id = isset($vars['priority_id']) ? $vars['priority_id'] : '0';
-        $this->topic_id = $vars['topic_id'];
-        $this->noautoresp = $vars['noautoresp'];
+        $this->dept_id = (int) $vars['dept_id'];
+        $this->priority_id = (int) (isset($vars['priority_id']) ? $vars['priority_id'] : 0);
+        $this->topic_id = (int) $vars['topic_id'];
+        $this->noautoresp = (int) $vars['noautoresp'];
         $this->notes = Format::sanitize($vars['notes']);
 
         if ($this->save())

Cheers.

Edra

commented 2 months ago

Researcher

sorry for my late reply I tested it and it corrects the vunerability well

JediKev validated this vulnerability 21 days ago

Edra has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

JediKev marked this as fixed in v1.16.6 with commit 091ddb 21 days ago

JediKev has been awarded the fix bounty

This vulnerability has been assigned a CVE

JediKev published this vulnerability 21 days ago

to join this conversation

XSS Stored in Email in osticket/osticket

Description

Proof of Concept

1. Access to emails parameters /scp/emails.php

2. create an account with the following email address

3. Once the account is created, navigate to the settings section of emails

4. XSS is executed

Impact

References

1. Access to emails parameters `/scp/emails.php`