Cross-Site Scripting Vulnerability in osTicket Software by osTicket
CVE-2019-11537
6.1MEDIUM
Key Information:
Badges
๐พ Exploit Exists๐ก Public PoC
What is CVE-2019-11537?
An XSS vulnerability exists in osTicket versions earlier than 1.12, where a crafted CSV file uploaded by an agent manager can trigger malicious scripts through error messages generated in file upload components. Specifically, endpoints like /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.php/users/import are vulnerable. This flaw can potentially lead to local file inclusion, allowing attackers to exploit the system further and compromise data integrity.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
