CVE-2023-26982
📋 TL;DR
This stored XSS vulnerability in Trudesk v1.2.6 allows attackers to inject malicious scripts via the Add Tags parameter when creating tickets. When other users view affected tickets, the scripts execute in their browsers, potentially stealing session cookies or performing actions on their behalf. All Trudesk instances running the vulnerable version are affected.
💻 Affected Systems
- Trudesk
📦 What is this software?
Trudesk by Trudesk Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full system access, pivot to internal networks, or deploy ransomware through malicious scripts.
Likely Case
Session hijacking, credential theft, defacement of ticket pages, or limited account compromise of users viewing malicious tickets.
If Mitigated
Script execution blocked by CSP headers, input validation prevents injection, or only low-privilege accounts affected with minimal damage.
🎯 Exploit Status
Exploitation requires ability to create tickets or access to a user account with ticket creation privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.2.7 or later
Vendor Advisory: https://github.com/polonel/trudesk/releases/tag/v1.2.7
Restart Required: Yes
Instructions:
1. Backup your Trudesk database and configuration. 2. Download v1.2.7 or later from GitHub releases. 3. Replace existing installation files with new version. 4. Restart the Trudesk service. 5. Verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize tag parameters before storage.
Modify server-side code to escape HTML entities in tag input
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources.
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Disable ticket creation for untrusted users or restrict tag functionality
- Implement WAF rules to block XSS payloads in POST requests to ticket creation endpoints
🔍 How to Verify
Check if Vulnerable:
Test by creating a ticket with a tag containing <script>alert('XSS')</script> and checking if script executes when viewing ticket.Check Version:
Check package.json or application settings for version number, or run 'npm list trudesk' if installed via npm.Verify Fix Applied:
After patching, repeat the test payload; script should not execute and should be displayed as plain text.📡 Detection & Monitoring
Log Indicators:
- Unusual tag entries containing script tags or JavaScript code in ticket creation logs
- Multiple failed XSS attempts in web server logs
Network Indicators:
- POST requests to /api/v1/tickets with script tags in parameters
- Unusual outbound connections from Trudesk server after ticket views
SIEM Query:
source="trudesk" AND (http_method="POST" AND uri_path="/api/v1/tickets" AND (param="tags" CONTAINS "<script>" OR param="tags" CONTAINS "javascript:"))