XSS Stored in Email in osticket/osticket

Valid

Reported on

Dec 4th 2022


Description

It was discovered that it is possible to inject a malicious payload into the email address field, resulting in a stored XSS vulnerability.

Proof of Concept

1. Access to emails parameters /scp/emails.php

image

2. create an account with the following email address

Payload test+(<script>alert(document.domain)</script>)@gmail.com

it works with all email account because they will be put in the drop-down list

image

3. Once the account is created, navigate to the settings section of emails

image

image

4. XSS is executed

Impact

If exploited, this vulnerability could allow an attacker to inject malicious JavaScript code into the email address field This could potentially lead to unauthorized access to sensitive information, such as passwords and personal data.

References

We are processing your report and will contact the osticket team within 24 hours. a year ago
We have contacted a member of the osticket team and are waiting to hear back a year ago
osticket/osticket maintainer
a year ago

Maintainer


Thank you for the report. I will verify this and provide an update soon.

JediKev
a year ago

Maintainer


@edr4

Can you please test this patch to see if it fully mitigates the vulnerability?

diff --git a/include/class.email.php b/include/class.email.php
index bc4943c6..7843a446 100644
--- a/include/class.email.php
+++ b/include/class.email.php
@@ -334,12 +334,12 @@ class Email extends VerySimpleModel {
         if ($errors) return false;
 
         // Update basic settings
-        $this->email = $vars['email'];
+        $this->email = Format::sanitize($vars['email']);
         $this->name = Format::striptags($vars['name']);
-        $this->dept_id = $vars['dept_id'];
-        $this->priority_id = isset($vars['priority_id']) ? $vars['priority_id'] : '0';
-        $this->topic_id = $vars['topic_id'];
-        $this->noautoresp = $vars['noautoresp'];
+        $this->dept_id = (int) $vars['dept_id'];
+        $this->priority_id = (int) (isset($vars['priority_id']) ? $vars['priority_id'] : 0);
+        $this->topic_id = (int) $vars['topic_id'];
+        $this->noautoresp = (int) $vars['noautoresp'];
         $this->notes = Format::sanitize($vars['notes']);
 
         if ($this->save())

Cheers.

Edra
a year ago

Researcher


sorry for my late reply I tested it and it corrects the vunerability well

JediKev validated this vulnerability a year ago
edr4 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
JediKev marked this as fixed in v1.16.6 with commit 091ddb a year ago
JediKev has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation