Cross-site Scripting (XSS) - Stored in polonel/trudesk

Valid

Reported on

Dec 20th 2021


Description

There are several areas in the web application that are vulnerable to stored XSS. They include:

  • The chat feature when sending messages (/messages/startconversation)
  • The name field when creating a department (/departments)
  • Name field when creating teams (/teams)

You can also exploit the XSS vulnerability by uploading a malicious .SVG file with embedded Javascript in order to exploit these endpoints:

  • /accounts/uploadImage
  • /tickets/uploadattachment

The .SVG file will only produce a link to the malicious .SVG image file and the victim would need to visit the link in order to have the Javascript execute. But it is likely they will visit the link since it is coming from a trusted domain since the .SVG file would be uploaded to the TruDesk web application. One thing to note is that you can also bypass having the victim click the link in order to have the Javascript execute by embedding the link to the uploaded .SVG image into an iframe and then sending the victim this payload, such as by messaging it to them via TruDesk's messaging functionality. This would automatically execute the payload.

Proof of Concept

<script>alert(1);</script>

And the .SVG PoC would be:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/
svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert("svg xss");
   </script>
</svg>

Impact

This vulnerability is capable of executing an attacker's own Javascript. A possible attack scenario would be a customer sending an admin an XSS payload and the attacker's malicious Javascript would then execute on their browser. This could result in the admin's session cookie being stolen which may impact the confidentiality and integrity of customer tickets, and it may result in the entire web application being compromised since the attacker would then be able to upload a malicious backup and restore from it.

We are processing your report and will contact the polonel/trudesk team within 24 hours. 6 months ago
1d8 modified the report
6 months ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back 6 months ago
We have sent a follow up to the polonel/trudesk team. We will try again in 7 days. 6 months ago
1d8 modified the report
6 months ago
We have sent a second follow up to the polonel/trudesk team. We will try again in 10 days. 6 months ago
We have sent a third and final follow up to the polonel/trudesk team. This report is now considered stale. 6 months ago
Chris Brame validated this vulnerability 5 months ago
1d8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chris Brame
a month ago

Maintainer


This has been fixed in v1.2.2. I will update this report once released.

Chris Brame confirmed that a fix has been merged on 4575ed a month ago
Chris Brame has been awarded the fix bounty
to join this conversation