CVE-2019-14748

osTicket 1.12 - Persistent Cross-Site Scripting via File Upload

Severity Score

5.4

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.

Se detectó un problema en osTicket versiones anteriores a 1.10.7 y versiones 1.12.x anteriores a 1.12.1. El formulario de creación de Ticket permite a los usuarios cargar archivos en conjunto con consultas. Se encontró que la funcionalidad file-upload presenta menos (o ninguna) mitigaciones implementadas para las comprobaciones de contenido de archivos; además, la salida no se maneja apropiadamente, causando una vulnerabilidad de tipo XSS persistente que conlleva al robo de cookies o acciones maliciosas. Por ejemplo, un usuario que no sea agente puede cargar un archivo .html y Content-Disposition será ajustado a inline en lugar de attachment.

An issue was discovered in osTicket versions before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-08-07 CVE Reserved
2019-08-07 CVE Published
2024-08-05 CVE Updated
2024-08-05 First Exploit
2024-12-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (5)

URL	Tag	Source
https://github.com/osTicket/osTicket/releases/tag/v1.10.7	Release Notes
https://github.com/osTicket/osTicket/releases/tag/v1.12.1	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/47224	2024-08-05
http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html	2024-08-05

URL	Date	SRC
https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba	2019-08-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Osticket Search vendor "Osticket"		Osticket Search vendor "Osticket" for product "Osticket"				< 1.10.7 Search vendor "Osticket" for product "Osticket" and version " < 1.10.7"		-		Affected
Osticket Search vendor "Osticket"		Osticket Search vendor "Osticket" for product "Osticket"				>= 1.12 < 1.12.1 Search vendor "Osticket" for product "Osticket" and version " >= 1.12 < 1.12.1"		-		Affected