HelpDeskZ Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in HelpDeskZ versions prior to 2.0.2. This vulnerability allows remote attackers to execute arbitrary JavaScript in the administration panel. The issue arises when a malicious payload is included in the file name of an uploaded file while creating a new ticket.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the administration panel.

Reproduction

To reproduce this vulnerability, log in as a regular user and create a new ticket. Fill in the required fields and attach an image file with a malicious payload embedded in the filename. After submitting the ticket, access it from the administration panel to trigger the execution of the payload.