Share
## https://sploitus.com/exploit?id=PACKETSTORM:180374
# Exploit Title: Stored XSS Vulnerability via File Name  
# Google Dork: N/A  
# Date: 08 Aug 2024  
# Exploit Author: Md. Sadikul Islam  
# Vendor Homepage: https://www.helpdeskz.com/  
# Software Link:  
https://github.com/helpdesk-z/helpdeskz-dev/archive/2.0.2.zip  
# Version: v2.0.2  
# Tested on: Kali Linux / Firefox 115.1.0esr (64-bit)  
# CVE : N/A  
  
Payload: "><img src=x onerror=alert(1);>  
Filename can be Payload: "><img src=x onerror=alert(1);>.jpg  
  
VIdeo PoC:  
https://drive.google.com/file/d/1_yh0UsX8h7YcSU1kFvg_bBwk9T7kx1K1/view?usp=drive_link  
  
Steps to Reproduce:  
1. Log in as a regular user and create a new ticket.  
2. Fill out all the required fields with the necessary information.  
3. Attach an image file with a malicious payload embedded in the  
filename.  
4. Submit the ticket.  
5. Access the ticket from the administration panel to trigger the  
payload execution.  
  
Cross-Site Scripting (XSS) exploits can compromise the administration  
panel, directly affecting administrators by allowing malicious scripts to  
execute within their privileged environment.