Wisencode Cross-Site Scripting Vulnerability in Support Ticket Creation
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in Wisencode versions prior to 20251012. The issue arises in the 'Create Support Ticket Handler' component, specifically within the '/support-ticket/create' file. The vulnerability is triggered by manipulating the 'Message' argument, allowing remote attackers to inject malicious scripts. This flaw could be exploited to execute scripts in the context of the user's session.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.
Reproduction
To reproduce this vulnerability, register as a standard user on a Wisencode-based site. After logging in, navigate to the profile page and select 'Create a Support Ticket'. Fill in the email and subject fields, and inject a malicious script into the message field. Submit the ticket, then log in as an admin to view the submitted ticket, where the injected script will execute in the admin's browser.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.