CVE-2024-46226
Description
Stored XSS in HelpDeskZ < v2.0.2 allows attackers to execute arbitrary JavaScript in the admin panel by uploading a file with a malicious filename when creating a ticket.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in HelpDeskZ < v2.0.2 allows attackers to execute arbitrary JavaScript in the admin panel by uploading a file with a malicious filename when creating a ticket.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in HelpDeskZ versions prior to v2.0.2. The bug resides in the file upload functionality during ticket creation: the filename is not sanitized before being stored and later rendered in the administration panel. An attacker can embed a malicious payload in the filename, which is executed when an administrator views the ticket. Affected versions are all HelpDeskZ releases before v2.0.2 [1].
Exploitation
An attacker must be a logged-in regular user. The exploitation sequence is: log in, create a new ticket, fill in required fields, attach an image file with a malicious filename such as ">.jpg, and submit the ticket. When an administrator accesses the ticket from the administration panel, the payload executes in the context of the admin's browser [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the administration panel. This can lead to session hijacking, credential theft, or performing administrative actions on behalf of the victim administrator, effectively escalating privileges from a regular user to full administrative control [1].
Mitigation
The vulnerability is fixed in HelpDeskZ version v2.0.2. Users should upgrade to this version immediately. No workarounds are documented. The CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog as of publication [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on uploaded file names allows stored XSS."
Attack vector
An attacker logs in as a regular user and creates a new ticket, attaching a file whose name contains a JavaScript payload such as `">
Affected code
The vulnerability exists in the file upload function used when creating a new ticket. The application does not sanitize or validate the file name before storing it, allowing arbitrary JavaScript to be embedded in the filename [ref_id=1].
What the fix does
The advisory does not include a patch or specific remediation code. The vendor recommends upgrading to HelpDeskZ v2.0.2 or later, which presumably introduces proper sanitization of file names before storage and display [ref_id=1]. No further technical details about the fix are provided in the available reference.
Preconditions
- authAttacker must have a valid regular user account on the HelpDeskZ instance
- inputAttacker must be able to create a new ticket and upload a file attachment
- configAn administrator must view the submitted ticket in the administration panel to trigger the payload
Reproduction
1. Log in as a regular user and create a new ticket. 2. Fill out all required fields. 3. Attach an image file with the filename `">
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.