nDesk Support Center - Ticket System v1.4 Multiple XSS Injection

2019.04.16
ru QUIXSS (RU) ru
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

«nDesk Support Center - Ticket System» have no input field filtering, so it's possible to inject a Stored XSS payload. Most usefull vulnerable fields is: «Subject» (for Tickets) and «Name» (for Category and Article). Plus, unauthorized posting isn't restricted, so admin 100% will see your payload. PoC #1 [Stored XSS] as guest: Go to the demo website http://demos.codeniner.com/ndesk/?route=dashboard and create a new ticket without registration/auth. «Subject» field is good for your payload, f.e. test it with <script>alert('QUIXSS')</script>, fill in other fields and submit the form. After that your ticket with payload inside «Subject» field will be @ admin dashboard (you can check it by logging in with admin credentials: admin@example.com / admin). PoC #2 [Stored XSS] as user: Go to the demo website http://demos.codeniner.com/ndesk/?route=dashboard and pay attention to the registration form. You can use your payload inside «Your Name» field, f.e. John<script>alert(document.cookie)</script>. PoC #3 [Stored XSS] as admin: Go to the demo website http://demos.codeniner.com/ndesk/?route=dashboard and log in as admin, after that you will be able to use your payload in almost any input field u want: when creating new ticket, new category or new article, etc. etc. PoC #4 [Reflected XSS]: http://demos.codeniner.com/ndesk/?q=%22%3E%3Cscript%3Ealert%28%27QUIXSS%27%29%3B%3C%2Fscript%3E&route=search

References:

https://codecanyon.net/item/ndesk-support-center-ticket-system/16654561


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top