This bug allows a malicious party add themselves as a helpdesk Administrator via a crafted Xss/CSRF combination. It effects all versions of the Helpdesk Pilot software. I have received confirmation that this bug has been patched in the latest version of this software from the developers.There is a video demonstration of this attack below.
The attacker submits a ticket containing a malicious Url which results in javascript execution. If our administrator views this ticket, via cross site request forgery, he/she adds our attacker as an admin. It is also possible to craft this attack should a regular Staff account open our ticket.
The bug is a result of incorrect escaping on a Url. For a simple proof of concept you can use the following https://makthepla.net/ This will demonstrate that javascript execution is possible through submitting a ticket.
For a more malicious demonstration as shown in the video, an admin could be added using a Url of the following.
https://makthepla.net/Add_admin_poc/
This submits a form that would add an administrator assuming the person viewing the ticket has administrator permissions.