Trudesk version 1.2.6 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the tickets Create/Modify Ticket Tags on admin role.

The attacker must go to Settings menu, select tickets and then scroll down to find Ticket Tags. Click at CREATE and insert the XSS payload at the Add Tags input, Create Tag in order to exploit the stored XSS. The XSS payload will be launched immediately after save.

• http://[IP]:8118/settings/tickets

• POST

  • /api/v1/tags/create
    • Parameter : tag

• <iframe src="javascript:alert('Hello XSS by BYPAZS!')">

1. Trudesk version 1.2.6 (https://github.com/polonel/trudesk/releases/tag/v1.2.6)

2. Google Chrome Version 109.0.5414.119 (Official Build) (x86_64)

1. Enter your username and password; the account must have admin privileges.
2. Select Settings menu, select Tickets and then scroll down to find Ticket Tags.
3. Click at CREATE and enter the XSS payload at the Add Tags input, Create Tag
4. The XSS payload will run immediately.

Thapanarath Khempetch

• 2023–02–15: Vulnerability discovered.
• 2023–02–15: Vulnerability reported to the MITRE corporation.
• 202X–XX–XX: CVE has been reserved.
• 202X–XX–XX: Public disclosure of the vulnerability.

Reference:

3. https://github.com/polonel/trudesk/releases/tag/v1.2.6

4. https://trudesk.io/