Vulnerabilities
Vulnerable Software
Enhancesoft:  >> Osticket  >> 1.0  Security Vulnerabilities
Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to 1.16.4.
CVSS Score
8.0
EPSS Score
0.007
Published
2022-12-02
A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.
CVSS Score
5.4
EPSS Score
0.014
Published
2022-07-13
SQL injection in osTicket before 1.14.8 and 1.15.4 login and password reset process allows attackers to access the osTicket administration profile functionality.
CVSS Score
9.8
EPSS Score
0.01
Published
2022-05-04
Cross Site Scripting vulnerability in Enhancesoft osTicket before v1.12.6 via the queue-name parameter to include/ajax.search.php.
CVSS Score
6.1
EPSS Score
0.007
Published
2021-06-28
Cross Site Scripting (XSS) vulnerability in Enhancesoft osTicket before v1.12.6 via the queue-name parameter in include/class.queue.php.
CVSS Score
6.1
EPSS Score
0.007
Published
2021-06-28
SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.
CVSS Score
9.8
EPSS Score
0.733
Published
2020-11-02
osTicket before 1.14.3 allows XSS via a crafted filename to DraftAjaxAPI::_uploadInlineImage() in include/ajax.draft.php.
CVSS Score
6.1
EPSS Score
0.012
Published
2020-08-30
osTicket before 1.14.3 allows XSS because include/staff/banrule.inc.php has an unvalidated echo $info['notes'] call.
CVSS Score
5.4
EPSS Score
0.006
Published
2020-08-26
include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA Name.
CVSS Score
5.4
EPSS Score
0.015
Published
2020-05-04
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.
CVSS Score
5.4
EPSS Score
0.027
Published
2019-08-07


Contact Us

Shodan ® - All rights reserved