Zendesk SweetHawk Survey Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in Zendesk SweetHawk Survey version 1.6. This vulnerability allows attackers to inject malicious scripts into support ticket submissions. The injected scripts, such as those contained within script tags, are executed automatically when survey pages are accessed by other users.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user viewing the survey page.

Reproduction

To reproduce this vulnerability, open a support ticket in Zendesk and insert an XSS payload, such as a script tag including JavaScript code, into the ticket text. Once the ticket is submitted, generate a survey request to rate the ticket. The injected script payload will execute when the survey page is loaded.