«nDesk Support Center - Ticket System» have no input field filtering, so it's possible to inject a Stored XSS payload. Most usefull vulnerable fields is: «Subject» (for Tickets) and «Name» (for Category and Article). Plus, unauthorized posting isn't restricted, so admin 100% will see your payload.
PoC #1 [Stored XSS] as guest: Go to the demo website http://demos.codeniner.com/ndesk/?route=dashboard and create a new ticket without registration/auth. «Subject» field is good for your payload, f.e. test it with <script>alert('QUIXSS')</script>, fill in other fields and submit the form. After that your ticket with payload inside «Subject» field will be @ admin dashboard (you can check it by logging in with admin credentials: admin@example.com / admin).
PoC #2 [Stored XSS] as user: Go to the demo website http://demos.codeniner.com/ndesk/?route=dashboard and pay attention to the registration form. You can use your payload inside «Your Name» field, f.e. John<script>alert(document.cookie)</script>.
PoC #3 [Stored XSS] as admin: Go to the demo website http://demos.codeniner.com/ndesk/?route=dashboard and log in as admin, after that you will be able to use your payload in almost any input field u want: when creating new ticket, new category or new article, etc. etc.
PoC #4 [Reflected XSS]: http://demos.codeniner.com/ndesk/?q=%22%3E%3Cscript%3Ealert%28%27QUIXSS%27%29%3B%3C%2Fscript%3E&route=search