XSS Vulnerability via uploading html and svg files

[raghavfaveo]

• Faveo Version : 9.2.0
• Product Name : Faveo Helpdesk & Servicedesk (On-Premise and Cloud)
• Reported By : Asad Iqbal
  Link: https://github.com/Asadiqbal2

Description:

Issue - XSS code placed in html and svg format files can be uploaded, attached and thereby executable after ticket is created and the attachment is clicked open.

Details and steps to reproduce given in below document
XSS.Via.File.Upload.pdf

Steps To Reproduce:

Screenshots:

1. Html file uploaded with malicious content

2. When the file is clicked open

Sample html file can be crated with following xss code

<script>window.location.href="https://evil.com"</script>