Deskpro is a widely used helpdesk platform, available both as a cloud product and on-premise. While testing it I found and reported three stored XSS issues, each assigned its own CVE. They share a theme: a low-privileged, or in one case unauthenticated, user can store a JavaScript payload that later executes in another user's session, leading to account takeover or privilege escalation. Here's each one.
Stored XSS in custom email templates
Stored XSS in the file download feature
javascript:alert(1)Stored XSS in profile social links
javascript:alert(1)The common thread
All three come down to the same root cause: fields that accept links never sanitized the javascript: URI scheme. Whether it's an email template, a file-download link, or a social link on a profile, letting javascript:alert(1) be saved and later rendered is enough to run arbitrary script in a victim's context. The fix is identical across all three: validate and normalize URLs on the server, reject dangerous schemes like javascript:, and escape user-supplied content before it's rendered.
Video PoCs are available for each issue. Questions or feedback? Reach me on Twitter @R29k_. Thanks for reading.