A potential cross-site scripting (XSS) security vulnerability has been identified by a user in Huru Helpdesk versions 0.88d and earlier. The problem also exists in the 0.89 beta versions.

This problem has been fixed in the general release of version 0.89 available via the Download tab above. Anyone using a version of Huru Helpdesk earlier than version 0.89 should upgrade as soon as possible, particularly if you allow public entry of cases.

The problem is caused by the incomplete cleansing of user input on the detail view.  Code has been added to the general release of version 0.89 to clean user-inputed data both before it is stored in the database, and before it is displayed on the screen after being retrieved from the database.

Users of earlier versions that cannot upgrade to the general release of version 0.89 can partially protect themselves by making the following change to the components/com_huruhelpdesk/helpers/head.php file safe() function (line 442 in v0.88d):

Replace line:

       return $str;

With:

       return htmlentities($str, ENT_QUOTES, 'UTF-8', FALSE);

This change will not necessarily provide full protection, and the amount of protection may vary based on which version you are running.  To completely block this exploit, you must upgrade to the general release of version 0.89 or later.