Helpy.io Stored Cross-Site Scripting Vulnerability Allowing Privilege Escalation

A stored cross-site scripting vulnerability has been identified in Helpy.io version 2.8.0. This vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a privileged user. The issue arises from uploading an HTML file as an attachment when creating a new topic ticket. The uploaded HTML is served inline without proper sanitization, enabling script execution. This vulnerability could lead to account takeover or unauthorized actions within the application.

Impact

Exploitation of this vulnerability allows for execution of attacker-controlled JavaScript in the context of an admin or staff user, potentially leading to session hijacking, CSRF token theft, and unauthorized actions within the application.

Reproduction

To reproduce this vulnerability, first, navigate to the 'New Topic' creation page and capture the CSRF token from the meta tag. Then, create a new ticket by attaching an HTML file containing a script payload. Once the ticket is saved, a privileged user can open the attachment link, which will execute the embedded JavaScript in their browser.

Remediation

Users are advised to reject or properly sanitize HTML file uploads. Additionally, user-uploaded HTML should be served with a Content-Disposition header set to 'attachment' and an X-Content-Type-Options header set to 'nosniff'. Applying a restrictive Content Security Policy on attachment routes and validating MIME types server-side to strip active content can also help mitigate this vulnerability.