Security vulnerabilities

Description:
A stored XSS vulnerability exists in the support ticket submission functionality of the AlwaysData admin panel. An attacker can upload a specially crafted file (xss.poc) as an attachment while submitting a new ticket. When the ticket is submitted and the attached file is later opened by a staff member or user, malicious JavaScript embedded in the file is executed in their browser context.

This vulnerability allows attackers to perform actions such as stealing session cookies, executing arbitrary actions as the victim, or performing phishing attacks from within the trusted domain.

Steps to Reproduce:
Navigate to:
https://admin.alwaysdata.com/support/add/

Fill out the New Ticket form:

Title: Test XSS Ticket

Message: Please see the attached file.

Attach the malicious file xss.poc:

Submit the ticket.

After submission, navigate to the Support section and view the created ticket.

Click on the uploaded xss.poc attachment.

Result: A JavaScript alert box with the message XSS is triggered, confirming that the script executed in the browser.

Impact:
Arbitrary JavaScript execution in a user or admin context.

Session hijacking

Credential theft

Phishing within trusted domain

Full compromise of account integrity if an admin account is exploited

Recommendations:
Sanitize and validate all uploaded files both client-side and server-side.

Do not render or parse user-uploaded files as HTML or SVG content directly in the browser.

Use proper Content-Disposition headers to force downloads:

Affected Users:
All users or administrators who open ticket attachments through the admin panel.