CVE-2024-46639
Description
Stored XSS in HelpDeskZ v2.0.2 allows attackers to inject malicious scripts via the Name field of custom fields, leading to session hijacking or data compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in HelpDeskZ v2.0.2 allows attackers to inject malicious scripts via the Name field of custom fields, leading to session hijacking or data compromise.
Vulnerability
HelpDeskZ v2.0.2 contains a stored cross-site scripting (XSS) vulnerability in the Custom Fields feature. The Name text field of custom fields does not properly sanitize user input, allowing an attacker to inject arbitrary web scripts or HTML[1]. This was discovered by security researcher Md. Ashfaqul Haq[2].
Exploitation
An attacker with a standard user account can exploit this vulnerability by navigating to Tools > Custom Fields > New custom field and injecting a crafted payload into the Name field. For example, the payload "> can be used to execute JavaScript[2]. The payload is then stored and executed when the custom fields page is viewed by other users, including administrators[1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the administration panel. This can lead to session hijacking, unauthorized actions, defacement, or redirection to malicious sites, potentially compromising sensitive data[1][2].
Mitigation
As of the publication date (2024-09-23), no official patch has been released. It is recommended to sanitize all user inputs in custom fields and consider upgrading to a patched version when available. The vendor (HelpDeskZ) should be contacted for a fix[1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization and output encoding in the Custom Fields "Name" field allows stored cross-site scripting."
Attack vector
An attacker with a normal user account logs in and navigates to Tools > Custom Fields > New custom field. After filling out the required fields and submitting, the attacker intercepts the request (e.g., with Burp Suite) and modifies the "Name" (title) field to contain the payload `">
Affected code
The vulnerability exists in the Custom Fields feature of HelpDeskZ v2.0.2. The "Name" text field of the custom field creation form does not sanitize or escape user-supplied input before storing it and later rendering it in the administration panel.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide remediation guidance or a fix commit. To close this vulnerability, the application should sanitize or escape the "Name" field input on the server side before storing it, and/or encode the output when rendering custom field names in the administration panel to prevent script execution.
Preconditions
- authAttacker must have a valid normal user account on the HelpDeskZ instance.
- networkAttacker must have network access to the HelpDeskZ web application.
- configThe application must have the Custom Fields feature enabled and accessible.
Reproduction
1. Log in as a normal user. 2. Navigate to Tools > Custom Fields > New custom field. 3. Fill out the required fields and click Submit. 4. Capture the request using Burp Suite or a similar proxy tool. 5. Modify the title field to contain the payload `">
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.