alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~304~~	Closed	~~Possible regression – Stored XSS via PDF attachment in~~ ...	vaptresearchers	Task Description Dear Alwaysdata Security Team, I believe I have reproduced a stored XSS via file upload in the support ticket feature at admin.alwaysdata.com, which appears similar to your previously reported tasks ~~FS#63~~ , ~~FS#131~~ and ~~FS#195~~ . Summary Feature: Support ticket creation (/support/add/) on admin.alwaysdata.com. Vector: Malicious PDF attachment with embedded JavaScript (created using JS2PDFInjector). Impact: When a staff member opens the attached PDF from the ticket page, JavaScript executes in the context of admin.alwaysdata.com. Steps to reproduce Log in to the admin panel and go to Support → Open a new ticket (https://admin.alwaysdata.com/support/add/). Fill in Object/Subject/Message with any values (I also tested some filtered HTML/Markdown payloads which were correctly neutralized). Attach a PDF named js_injected_poc.pdf containing embedded JS such as: app.alert("DJH4CK3R"); app.alert("XSS"); Submit the ticket (I used a normal submission; using Content-Encoding: gzip also works but is not required). Open the ticket in the support inbox: https://admin.alwaysdata.com/support/92563/#Bottom. Click the attachment link js_injected_poc.pdf, which points to for example: https://admin.alwaysdata.com/support/92563/427563-js_injected_poc.pdf. The PDF is rendered and the embedded JavaScript executes, showing alert dialogs “DJH4CK3R” and “XSS” coming from admin.alwaysdata.com. Notes about prior reports I noticed that very similar issues have been reported before: ~~FS#63~~ – Stored XSS Via Upload Document ~~FS#131~~ – Stored XSS by PDF in Support inbox ~~FS#195~~ – Stored Cross‑Site Scripting (XSS) via File Upload in Support Ticket Feature My PoC demonstrates that as of March 13, 2026 this vector is still exploitable via PDF attachment and direct view in the support interface. I’m fully aware this might be treated as a duplicate / regression and I’m not reporting it with bounty expectations; I mainly wanted to flag that the mitigation for those tasks may not completely cover PDF‑based payloads. If you would like, I can provide: The exact PoC PDF file Burp request/response logs for the ticket submission A short video showing upload → ticket → alert execution Thank you for your time and for keeping the platform secure. Cordially, DJH4CK3R

~~304~~

Closed

~~Possible regression – Stored XSS via PDF attachment in~~ ...

Task Description

Dear Alwaysdata Security Team,

I believe I have reproduced a stored XSS via file upload in the support ticket feature at admin.alwaysdata.com, which appears similar to your previously reported tasks ~~FS#63~~ , ~~FS#131~~ and ~~FS#195~~ .

Summary Feature: Support ticket creation (/support/add/) on admin.alwaysdata.com.

Vector: Malicious PDF attachment with embedded JavaScript (created using JS2PDFInjector).

Impact: When a staff member opens the attached PDF from the ticket page, JavaScript executes in the context of admin.alwaysdata.com.

Steps to reproduce Log in to the admin panel and go to Support → Open a new ticket (https://admin.alwaysdata.com/support/add/).

Fill in Object/Subject/Message with any values (I also tested some filtered HTML/Markdown payloads which were correctly neutralized).

Attach a PDF named js_injected_poc.pdf containing embedded JS such as:
app.alert("DJH4CK3R");
app.alert("XSS");

Submit the ticket (I used a normal submission; using Content-Encoding: gzip also works but is not required).

Open the ticket in the support inbox: https://admin.alwaysdata.com/support/92563/#Bottom.

Click the attachment link js_injected_poc.pdf, which points to for example:
https://admin.alwaysdata.com/support/92563/427563-js_injected_poc.pdf.

The PDF is rendered and the embedded JavaScript executes, showing alert dialogs “DJH4CK3R” and “XSS” coming from admin.alwaysdata.com.

Notes about prior reports I noticed that very similar issues have been reported before:

~~FS#63~~ – Stored XSS Via Upload Document
~~FS#131~~ – Stored XSS by PDF in Support inbox
~~FS#195~~ – Stored Cross‑Site Scripting (XSS) via File Upload in Support Ticket Feature

My PoC demonstrates that as of March 13, 2026 this vector is still exploitable via PDF attachment and direct view in the support interface. I’m fully aware this might be treated as a duplicate / regression and I’m not reporting it with bounty expectations; I mainly wanted to flag that the mitigation for those tasks may not completely cover PDF‑based payloads.

If you would like, I can provide:
The exact PoC PDF file
Burp request/response logs for the ticket submission
A short video showing upload → ticket → alert execution

Thank you for your time and for keeping the platform secure.

Cordially,
DJH4CK3R

Showing tasks 1 - 1 of 1 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing