- Status Closed
-
Assigned To
cbay - Private
Opened by hacktivist - 26.07.2025
Last edited by cbay - 28.07.2025
FS#195 - Stored Cross-Site Scripting (XSS) via File Upload in Support Ticket Feature
Description:
A stored XSS vulnerability exists in the support ticket submission functionality of the AlwaysData admin panel. An attacker can upload a specially crafted file (xss.poc) as an attachment while submitting a new ticket. When the ticket is submitted and the attached file is later opened by a staff member or user, malicious JavaScript embedded in the file is executed in their browser context.
This vulnerability allows attackers to perform actions such as stealing session cookies, executing arbitrary actions as the victim, or performing phishing attacks from within the trusted domain.
Steps to Reproduce:
Navigate to:
https://admin.alwaysdata.com/support/add/
Fill out the New Ticket form:
Title: Test XSS Ticket
Message: Please see the attached file.
Attach the malicious file xss.poc:
Submit the ticket.
After submission, navigate to the Support section and view the created ticket.
Click on the uploaded xss.poc attachment.
Result: A JavaScript alert box with the message XSS is triggered, confirming that the script executed in the browser.
Impact:
Arbitrary JavaScript execution in a user or admin context.
Session hijacking
Credential theft
Phishing within trusted domain
Full compromise of account integrity if an admin account is exploited
Recommendations:
Sanitize and validate all uploaded files both client-side and server-side.
Do not render or parse user-uploaded files as HTML or SVG content directly in the browser.
Use proper Content-Disposition headers to force downloads:
Affected Users:
All users or administrators who open ticket attachments through the admin panel.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task