Cross-Site Scripting vulnerability in HelpDeskZ

Vulnerability

HelpDeskZ version 2.0.2 and earlier contains a Cross-Site Scripting (XSS) vulnerability (CWE-79) in the email field. An attacker can inject a specially crafted JavaScript payload that is stored and later executed in the browser of an authenticated user viewing the affected component. [1]

Exploitation

An attacker needs an authenticated HelpDeskZ user to submit a ticket or update their profile with a malicious payload in the email field. The payload is stored and executed when another authenticated user (or the same user) views the related page. No special network position is required other than access to the HelpDeskZ instance. [1]

Impact

Successful exploitation allows the attacker to partially take control of the authenticated user's browser session, leading to potential information disclosure (e.g., ticket data, session tokens) or limited unauthorized actions within the application. The CVSS v3.1 base score is 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N). [1]

Mitigation

As of the publication date, no official fix or patched version has been released. The vendor has not provided a confirmed solution. Users are advised to restrict access to the HelpDeskZ instance and sanitize email input manually if possible. [1]