Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by hacktivist - 26.07.2025
Last edited by cbay - 28.07.2025

FS#195 - Stored Cross-Site Scripting (XSS) via File Upload in Support Ticket Feature

Description:
A stored XSS vulnerability exists in the support ticket submission functionality of the AlwaysData admin panel. An attacker can upload a specially crafted file (xss.poc) as an attachment while submitting a new ticket. When the ticket is submitted and the attached file is later opened by a staff member or user, malicious JavaScript embedded in the file is executed in their browser context.

This vulnerability allows attackers to perform actions such as stealing session cookies, executing arbitrary actions as the victim, or performing phishing attacks from within the trusted domain.

Steps to Reproduce:
Navigate to:
https://admin.alwaysdata.com/support/add/

Fill out the New Ticket form:

Title: Test XSS Ticket

Message: Please see the attached file.

Attach the malicious file xss.poc:

Submit the ticket.

After submission, navigate to the Support section and view the created ticket.

Click on the uploaded xss.poc attachment.

Result: A JavaScript alert box with the message XSS is triggered, confirming that the script executed in the browser.

Impact:
Arbitrary JavaScript execution in a user or admin context.

Session hijacking

Credential theft

Phishing within trusted domain

Full compromise of account integrity if an admin account is exploited

Recommendations:
Sanitize and validate all uploaded files both client-side and server-side.

Do not render or parse user-uploaded files as HTML or SVG content directly in the browser.

Use proper Content-Disposition headers to force downloads:

Affected Users:
All users or administrators who open ticket attachments through the admin panel.

   1.png (126.2 KiB)
   2.png (163.1 KiB)
Closed by  cbay
28.07.2025 07:28
Reason for closing:  Duplicate
Additional comments about closing:  

https://security.alwaysda ta.com/task/63

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing