CVE-2022–31455.

A cross-site scripting (XSS) vulnerability in Truedesk v1.2.2 in the Chatbox.

Discovered by: Shifa Cyclewala & Rohit Gautam from Hacktify Cyber Security.

Reference:
https://www.acunetix.com/vulnerabilities/web/cross-site-scripting/

What is XSS?

Cross-Site Scripting (XSS) is a web application vulnerability that occurs when an attacker injects malicious scripts into a trusted website. These scripts can be written in various scripting languages, such as JavaScript, and are executed by unsuspecting users’ browsers. XSS attacks can have a range of negative consequences, including stealing sensitive user information, hijacking user sessions, or defacing websites.

Bug Description:

To exploit the vulnerability, an attacker can send a specially crafted an xss payload in the message field and send it to another user which leads to XSS.

Steps to Reproduce:

Step 1: Go to the main website truedesk platform.

Step 2: When you see the chat box add the xss payload.

Step 3: You will see an XSS alert to confirm the presence of the vulnerability.

LinkedIn:
https://www.linkedin.com/in/shifa
https://www.linkedin.com/in/iamrohitg

Thank you
Shifa Cyclewala & Rohit Gautam from Hacktify Cyber Security.