- Status Closed
-
Assigned To
cbay - Private
Opened by vaptresearchers - 13.03.2026
Last edited by cbay - 16.03.2026
FS#304 - Possible regression – Stored XSS via PDF attachment in support (similar to FS#63/131/195)
Dear Alwaysdata Security Team,
I believe I have reproduced a stored XSS via file upload in the support ticket feature at admin.alwaysdata.com, which appears similar to your previously reported tasks FS#63 , FS#131 and FS#195 .
Summary Feature: Support ticket creation (/support/add/) on admin.alwaysdata.com.
Vector: Malicious PDF attachment with embedded JavaScript (created using JS2PDFInjector).
Impact: When a staff member opens the attached PDF from the ticket page, JavaScript executes in the context of admin.alwaysdata.com.
Steps to reproduce Log in to the admin panel and go to Support → Open a new ticket (https://admin.alwaysdata.com/support/add/).
Fill in Object/Subject/Message with any values (I also tested some filtered HTML/Markdown payloads which were correctly neutralized).
Attach a PDF named js_injected_poc.pdf containing embedded JS such as:
app.alert("DJH4CK3R");
app.alert("XSS");
Submit the ticket (I used a normal submission; using Content-Encoding: gzip also works but is not required).
Open the ticket in the support inbox: https://admin.alwaysdata.com/support/92563/#Bottom.
Click the attachment link js_injected_poc.pdf, which points to for example:
https://admin.alwaysdata.com/support/92563/427563-js_injected_poc.pdf.
The PDF is rendered and the embedded JavaScript executes, showing alert dialogs “DJH4CK3R” and “XSS” coming from admin.alwaysdata.com.
Notes about prior reports I noticed that very similar issues have been reported before:
FS#63 – Stored XSS Via Upload Document FS#131 – Stored XSS by PDF in Support inbox FS#195 – Stored Cross‑Site Scripting (XSS) via File Upload in Support Ticket Feature
My PoC demonstrates that as of March 13, 2026 this vector is still exploitable via PDF attachment and direct view in the support interface. I’m fully aware this might be treated as a duplicate / regression and I’m not reporting it with bounty expectations; I mainly wanted to flag that the mitigation for those tasks may not completely cover PDF‑based payloads.
If you would like, I can provide:
The exact PoC PDF file
Burp request/response logs for the ticket submission
A short video showing upload → ticket → alert execution
Thank you for your time and for keeping the platform secure.
Cordially,
DJH4CK3R
PoC.pdf
(2.65 MiB)
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
As we explained in the first report, we do not consider it a security issue, which is why we haven't mitigated it.
Thanks for the thorough report though, we appreciate it.
Kind regards,
Cyril