bybit-sec/gist:eb750c1d906c89e97092b29015472738 Secret

## gistfile1.txt
1. Stored XSS in Tickets comment
Evil users can submit ticket to apply for access to certain resources. After submitting a ticket, users can also add comments on the ticket. When an administrator open ticket to approves , they can See comments for details. But because the user's input is not filtered, and the v-html is used for rendering directly, resulting in an XSS vulnerability, which can execute any javascript under admin's permission, such as perform CSRF to update normal user to administrator role, etc.
Affect version
2.24.0 <= version <=2.28.X
Reference
https://github.com/jumpserver/lina/pull/2264
Steps to reproduce
1. login as normal user
2. submit ticket apply for something
3. add comment: <img src=x onerror='alert(document.cookie)'>
4. wait administrator open ticket to trigger XSS.
5. with another evil payload, when administrator open ticket, they will update normal user to admin user by CSRF, like this:
<img src=x onerror='alert(document.cookie)'>

2. Stored XSS in Alarm Messages Subscribe
Vulnerability description
Jumpserver provides the features of restricting dangerous commands. Administrators can receive alarm message by setting recipient. When setting the recipient, because the third-party component used uses v-html to render the 'label' param, a crafted username resulting in a stored XSS vulnerability, which can execute any javascript under admin's permission, such as perform CSRF to update normal user to administrator role, etc.
Affect version
2.10.0 <=  version <=2.28.X
Reference
https://github.com/jumpserver/lina/pull/2264
https://github.com/Krryxa/krry-transfer/blob/master/src/packages/paging/models/box.vue#L50
Severity
Medium
Steps to reproduce
1. login jumpserver as administrator (need administrator permission)
2. add new user and it's name or username is: <img src=x onerror='alert(document.cookie)'>
3. open system setting-> message -> change recievers, then XSS execute.
	1. Stored XSS in Tickets comment
	Evil users can submit ticket to apply for access to certain resources. After submitting a ticket, users can also add comments on the ticket. When an administrator open ticket to approves , they can See comments for details. But because the user's input is not filtered, and the v-html is used for rendering directly, resulting in an XSS vulnerability, which can execute any javascript under admin's permission, such as perform CSRF to update normal user to administrator role, etc.
	Affect version
	2.24.0 <= version <=2.28.X
	Reference
	https://github.com/jumpserver/lina/pull/2264
	Steps to reproduce
	1. login as normal user
	2. submit ticket apply for something
	3. add comment: <img src=x onerror='alert(document.cookie)'>
	4. wait administrator open ticket to trigger XSS.
	5. with another evil payload, when administrator open ticket, they will update normal user to admin user by CSRF, like this:
	<img src=x onerror='alert(document.cookie)'>

	2. Stored XSS in Alarm Messages Subscribe
	Vulnerability description
	Jumpserver provides the features of restricting dangerous commands. Administrators can receive alarm message by setting recipient. When setting the recipient, because the third-party component used uses v-html to render the 'label' param, a crafted username resulting in a stored XSS vulnerability, which can execute any javascript under admin's permission, such as perform CSRF to update normal user to administrator role, etc.
	Affect version
	2.10.0 <= version <=2.28.X
	Reference
	https://github.com/jumpserver/lina/pull/2264
	https://github.com/Krryxa/krry-transfer/blob/master/src/packages/paging/models/box.vue#L50
	Severity
	Medium
	Steps to reproduce
	1. login jumpserver as administrator (need administrator permission)
	2. add new user and it's name or username is: <img src=x onerror='alert(document.cookie)'>
	3. open system setting-> message -> change recievers, then XSS execute.