what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Zendesk SweetHawk Survey 1.6 Cross Site Scripting

Zendesk SweetHawk Survey 1.6 Cross Site Scripting
Posted Dec 17, 2019
Authored by MTK

Zendesk SweetHawk Survey version 1.6 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | f751cb359e1a35ef38d2c0f5d6b8428e724916ec524d59cf8ba7067d7a09150a

Zendesk SweetHawk Survey 1.6 Cross Site Scripting

Change Mirror Download
# Exploit Title: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting
# Date: 2019-12-17
# Exploit Author: MTK
# Vendor Homepage: https://sweethawk.co/zendesk/survey-app
# Software Link: https://www.zendesk.com/apps/support/survey/
# Version: Up to v1.6
# Tested on: Zendesk - Firefox/Windows

# Software description:
# Sweet Hawk Survey app ask customers for a 0-10 score instead of the normal good or bad question.
# You can get more granular satisfaction data without compromising the response rate.
# Ask an optional NPS question on the landing page. View reports and drill down into the response
# detail and go directly to the ticket. Easy to set up, just replace the survey place holder in
# your trigger or automation. Customize the landing pages for each of your brands.

# Technical Details & Impact:
# Attackers use vulnerable web pages to inject malicious code and have it stored on the web server
# for later use. The payload is automatically served to users who browse web pages and executed in
# their context. Thus, the victims do not need to click on a malicious link to run the payload.
# All they have to do is visit a vulnerable web page.

# POC

1. Open Support ticket in Zendesk and send XSS payload e.g;
<script>alert(1);</script>
2. Generate survey request to rate the ticket and payload will execute;

# Time line
09-19-2019 - Vulnerability discovered
09-20-2019 - Vendor contacted
12-02-2019 - Detailed report shared and full disclosure time line given with no response
12-17-2019 - Full Disclosure
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close