Vulnerable Version: 1.2.0
Fixed Version: 1.2.1
ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.
There are numerous XSS vulnerabilities present in both the client frontend and the administrator frontend. The most severe of which can show up when viewing tickets.
Proof of Concept:
Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.
We have deemed this vulnerability to be rated as HIGH due to the fact that the XSS code is being executed in the administrator frontend which can also contribute to a CSRF attack.
This vulnerability was tested against ArcticDesk v1.2.0.
This vulnerability was patched in ArcticDesk v1.2.1.
Vendor Contact Timeline:
2013-05-02: Vendor contacted via email.
2013-05-02: Vendor confirms vulnerability.
2013-06-25: Vendor issues 1.2.1 update.
2013-07-24: Rack911 issues security advisory.