Hi all,

 

I just discovered an agent adding a note to a ticket. the only text in the note was: “<script>alert(“Hi”);</script>”. when you open the ticket, the javascript code executes and you get the “Hi” alert.

I’m not much of a webadmin, I’m more a developer, I’m not that much into web-server security.

I’d like to know if you think this could be a security risk. Take in mind that we are creating tickets from emails, and that this tickets will be html if the email’s mime type was text/html.

 

Kind regards,

Juan Clavero