Cross-site Scripting (XSS) - Stored in polonel/trudesk

Valid

Reported on

Dec 20th 2021

Description

There are several areas in the web application that are vulnerable to stored XSS. They include:

  • The chat feature when sending messages (/messages/startconversation)
  • The name field when creating a department (/departments)
  • Name field when creating teams (/teams)

You can also exploit the XSS vulnerability by uploading a malicious .SVG file with embedded Javascript in order to exploit these endpoints:

  • /accounts/uploadImage
  • /tickets/uploadattachment

The .SVG file will only produce a link to the malicious .SVG image file and the victim would need to visit the link in order to have the Javascript execute. But it is likely they will visit the link since it is coming from a trusted domain since the .SVG file would be uploaded to the TruDesk web application. One thing to note is that you can also bypass having the victim click the link in order to have the Javascript execute by embedding the link to the uploaded .SVG image into an iframe and then sending the victim this payload, such as by messaging it to them via TruDesk's messaging functionality. This would automatically execute the payload.

Proof of Concept

<script>alert(1);</script>

And the .SVG PoC would be:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/
svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert("svg xss");
   </script>
</svg>

Impact

This vulnerability is capable of executing an attacker's own Javascript. A possible attack scenario would be a customer sending an admin an XSS payload and the attacker's malicious Javascript would then execute on their browser. This could result in the admin's session cookie being stolen which may impact the confidentiality and integrity of customer tickets, and it may result in the entire web application being compromised since the attacker would then be able to upload a malicious backup and restore from it.

We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago
1d8 modified the report
a year ago
We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago
We have sent a follow up to the polonel/trudesk team. We will try again in 7 days. a year ago
1d8 modified the report
a year ago
We have sent a second follow up to the polonel/trudesk team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the polonel/trudesk team. This report is now considered stale. a year ago
Chris validated this vulnerability a year ago
1d8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chris
a year ago

Maintainer

This has been fixed in v1.2.2. I will update this report once released.

Chris marked this as fixed in 1.2.2 with commit 4575ed a year ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation