ArcticDesk – Multiple XSS Flaws (R911-0048)

Type: XSS
Location: Remote
Impact: High
Product: ArcticDesk
Vulnerable Version: 1.2.0
Fixed Version: 1.2.1
CVE: -
R911: 0048
Date: 2013-07-24

Product Description:

ArcticDesk is a lightweight support help desk solution. It lets you manage tickets, emails, announcements, articles, downloads and more, all in one place.

Vulnerability Description:

There are numerous XSS vulnerabilities present in both the client frontend and the administrator frontend. The most severe of which can show up when viewing tickets.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.


We have deemed this vulnerability to be rated as HIGH due to the fact that the XSS code is being executed in the administrator frontend which can also contribute to a CSRF attack.

Vulnerable Version:

This vulnerability was tested against ArcticDesk v1.2.0.

Fixed Version:

This vulnerability was patched in ArcticDesk v1.2.1.

Vendor Contact Timeline:

2013-05-02: Vendor contacted via email.
2013-05-02: Vendor confirms vulnerability.
2013-06-25: Vendor issues 1.2.1 update.
2013-07-24: Rack911 issues security advisory.