Stored XSS viva .svg file upload in polonel/trudesk

Valid

Reported on

Mar 19th 2022


Description

The application allows .svg files to upload which lead to stored XSS

Proof of Concept

1.Download the payload from this link:- https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing and upload it on your profile.

2.Now open the path of the uploaded image ( Either by right click on image then copy image address OR right-click, inspect the image, the URL will come in the inspect, edit it as HTML )

3.Then XSS will trigger for allowing malicious svg extension.

Video PoC

https://drive.google.com/file/d/1_KOXMP_-jMhF4jEtg6XI_NopDNp5ZRCM/view?usp=sharing

Impact

This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

We are processing your report and will contact the polonel/trudesk team within 24 hours. 2 years ago
Chris validated this vulnerability 2 years ago
sampritdas8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
SAMPRIT DAS
2 years ago

Researcher


@admin Can you register a CVE for this?

SAMPRIT DAS
2 years ago

Researcher


@admin

Jamie Slome
2 years ago

Sure, @maintainer, can you please confirm whether you would like us to assign and publish a CVE for this report?

SAMPRIT DAS
2 years ago

Researcher


@Chris @polonel @maintainer can you please reply

Chris
2 years ago

Maintainer


Yes, you can assign and publish a CVE for this report.

SAMPRIT DAS
2 years ago

Researcher


@admin Maintainer is agree so can you please register a CVE for this report?

Jamie Slome
2 years ago

CVE assigned! 🎊

Please confirm the fix @maintainer, and then we will be able to publish the CVE.

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. 2 years ago
We have sent a second fix follow up to the polonel/trudesk team. We will try again in 10 days. 2 years ago
We have sent a third and final fix follow up to the polonel/trudesk team. This report is now considered stale. 2 years ago
Chris marked this as fixed in v1.2.0 with commit c4b262 2 years ago
The fix bounty has been dropped
SAMPRIT DAS
2 years ago

Researcher


@Chris @polonel @maintainer I am still able to reproduce the step for this report in the 1.2.0 version can you please also verify it from your side?

SAMPRIT DAS
2 years ago

Researcher


you can reproduce the step by downloading this SVG payload from this drive link: https://drive.google.com/file/d/1c1BP5bxXBxtwLfRJTrEPgMWK1yVFDF2R/view?usp=sharing

and upload it in the profile Image.

SAMPRIT DAS
2 years ago

Researcher


@admin Can you update the CVE details on NVD?

Jamie Slome
2 years ago

Sorted πŸ‘

to join this conversation