Helpdeskz 2.0.2 Cross Site Scripting
2024-8-28 04:12:57 Author: cxsecurity.com(查看原文) 阅读量:1 收藏

# Exploit Title: Stored XSS Vulnerability via File Name # Google Dork: N/A # Date: 08 Aug 2024 # Exploit Author: Md. Sadikul Islam # Vendor Homepage: https://www.helpdeskz.com/ # Software Link: https://github.com/helpdesk-z/helpdeskz-dev/archive/2.0.2.zip # Version: v2.0.2 # Tested on: Kali Linux / Firefox 115.1.0esr (64-bit) # CVE : N/A Payload: "><img src=x onerror=alert(1);> Filename can be Payload: "><img src=x onerror=alert(1);>.jpg VIdeo PoC: https://drive.google.com/file/d/1_yh0UsX8h7YcSU1kFvg_bBwk9T7kx1K1/view?usp=drive_link Steps to Reproduce: 1. Log in as a regular user and create a new ticket. 2. Fill out all the required fields with the necessary information. 3. Attach an image file with a malicious payload embedded in the filename. 4. Submit the ticket. 5. Access the ticket from the administration panel to trigger the payload execution. Cross-Site Scripting (XSS) exploits can compromise the administration panel, directly affecting administrators by allowing malicious scripts to execute within their privileged environment.



 

Thanks for you comment!
Your message is in quarantine 48 hours.


文章来源: https://cxsecurity.com/issue/WLB-2024080036
如有侵权请联系:admin#unsafe.sh