An Information Security Researcher, Sukhwinder Singh, has identified a critical security flaw in one of the top Support ticket system provided by Zendesk.
The title field is vulnerable to Persistent Cross site scripting. The researcher managed to create a ticket with this title : "><script>alert(/Sukhwinder Singh/)</script>.
Even though the Developer of this app managed to sanitize the title before being displayed in the user end, he stored the title in the database without sanitizing.
The title is being sanitized every time it is being displayed in the page. Unfortunately, they failed to remove the special characters before displaying the title in data-text attribute of Twitter_button code.
POC:
https://support.zuora.com/entries/23275787--script-alert-Sukhwinder-Singh-script-
The google dork "Support Ticket System by Zendesk" returns thousands of websites that use this application.
The researcher claimed to have contacted the Zendesk but there is response from their side. I've also sent notification to Zendesk.
The title field is vulnerable to Persistent Cross site scripting. The researcher managed to create a ticket with this title : "><script>alert(/Sukhwinder Singh/)</script>.
Even though the Developer of this app managed to sanitize the title before being displayed in the user end, he stored the title in the database without sanitizing.
The title is being sanitized every time it is being displayed in the page. Unfortunately, they failed to remove the special characters before displaying the title in data-text attribute of Twitter_button code.
POC:
https://support.zuora.com/entries/23275787--script-alert-Sukhwinder-Singh-script-
The google dork "Support Ticket System by Zendesk" returns thousands of websites that use this application.
The researcher claimed to have contacted the Zendesk but there is response from their side. I've also sent notification to Zendesk.