Visit Freshworks.com Visit Freshworks
Question

User can change Requester field when creating new ticket

  • 27 July 2021
  • 5 replies
  • 151 views
Green-leafs
Rank

Hello,

 

We are near releasing Freshservice, and I recently discovered a security flaw. Users can change the requester's field to email. This is risky because a user can impersonate another during ticket submission. 

I discovered this script below, but it does not work all the time. There are multiple times the browser must be refreshed before the requester field becomes read-only.  Can your developer team please make it an option to make this field read-only? 


​<script type="text/javascript">
jQuery(document).ready(function(){

jQuery("#helpdesk_ticket_email").prop( "disabled", true );

});
</script>

5 replies

B
Rank
Badge +1

Just discovered this flaw.  It’s outrageous that I have to search for an answer here and then customize the code myself.  This should have never reached production.

I
Rank
Badge

For those out there on Portal v2 we have received this code from Freshservice Support for this:

UNDER HELPDESK BRANDING/REQUESTER PORTAL BRANDING/LAYOUTS&PAGES/PAGE LAYOUT

VERSION 1 - READ-ONLY Requester Email (best version)

<script>
jQuery(document).ready(function(){
        setInterval(function() {
      if(window.location.href.endsWith('support/tickets/new')) {
       jQuery(".required.email").prop("disabled", true);
            }
    }, 200)
  })
</script>


VERSION 2 - READ-ONLY Requester Email and ADD CC 

<script>
jQuery(document).ready(function(){
        setInterval(function() {
      if(window.location.href.endsWith('support/tickets/new')) {
       jQuery(".ticket-field.default_requester").prop("disabled", true);
            }
    }, 200)
  })
</script>

sanofar.allahpichai
Rank
Userlevel 4
Badge +6

Hi @Green-leafs,


Good day!

The script you mentioned may not work if you are on the Self-service Portal v2. Please try the below script to disable the email fields in the incident and service request forms if you are on portal v2.

<script>
   // To hide Email field in Incident Form  
  jQuery(document).ready(function(){
        setInterval(function() {
      if(window.location.href.endsWith('support/tickets/new')) {
       jQuery(".ticket-field.default_requester").prop("disabled", true);
            }
    }, 200)
  })
//To disable the Email field in Service Item Form
jQuery(document).on('SideModalOpen', function() {
setTimeout(function() {
jQuery("#requester_email").prop("disabled", true);
})
});
</script>

We hope this helps!

Regards,
Sanofar
Team Freshservice

Warm Regards, Sanofar || Freshworks Community
W
Rank
Userlevel 1
Badge

Just discovered this flaw.  It’s outrageous that I have to search for an answer here and then customize the code myself.  This should have never reached production.

Agreed. This code also doesn’t work for if a requester submits a service request with the ServiceBot (at least in MS Teams, haven’t tried Slack)

The agent I spoke to said this is currently a feature request and is being worked on. What is the ETA for this?

I
Rank
Badge

Hi sanofar.allahpichai,

We have recently moved to Portal v2 and would like to make the Requester (read-only) on the Portal ticket form. We get issues where auto-fill adds personal email addresses etc. We had the code in Portal v1 and the code you stated above does not work for us. Are you able to help?

Here is the code we had in Portal v1: 

<!-- Requester Email Read Only-->
<script>
  jQuery('#helpdesk_ticket_email').prop("disabled", true);
</script>

<script>

Any help appreciated.

Reply


Terms of UseCookie settings