Stored XSS vulnerability in the request history of SupportCenter Plus versions 11019 and below
Severity : Medium
CVE ID : CVE-2022-25373
Affected software version(s) : 11019 and below
Fixed version(s) : 11020
Fixed on : March 22, 2022
Details
This vulnerability allows any low-privileged user to inject arbitrary JavaScript into the request by editing the ticket, making higher privileged or other low-privilege users' systems vulnerable to a breach. The JavaScript gets executed from the application (even without any prior interaction) once the target users view the request history.
Impact
Enables users to inject malicious code into the application.
Steps to upgrade
Customers can upgrade to the latest version (11020) using the appropriate migration path listed here.
Work-arounds
Customers must upgrade to the latest version of SupportCenter Plus.
Acknowledgements
Reported by Matt in our bug bounty portal.