Vision HelpDesk 4 – Client Area XSS Vulnerabilities (R911-0176)

Type: XSS
Location: Remote
Impact: High
Product: Vision HelpDesk
Website: http://www.thevisionworld.com/
Vulnerable Version: 4.0.0
Fixed Version: 4.0.2
CVE: -
R911: 176
Date: 2015-05-01
By: RACK911 Labs

Product Description:

Vision Helpdesk is the only web based Help Desk Software that allows to manage support for multiple companies at one place with single staff portal for all companies and each company having its own client portal.

Vulnerability Description:

There are numerous fields within the client area that accept HTML code that allows XSS attacks to be performed against staff when logged into the admin panel. The possibility to hijack an admin account by stealing cookies via an XSS attack is a real threat.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that staff / admin accounts can be hijacked.

Vulnerable Version:

This vulnerability was tested against Vision HelpDesk 4.0.0 and is believed to exist in all versions prior to the fixed builds below.

Fixed Version:

This vulnerability was patched in Vision HelpDesk 4.0.2.

Vendor Contact Timeline:

2015-04-22: Vendor contacted via email.
2015-04-23: Vendor confirms vulnerability.
2015-05-01: Vendor issues updates to all builds.
2015-05-01: RACK911 Labs issues security advisory.