XSS Vulnerability in osTicket Affected by Unvalidated Echo Output
CVE-2020-16193

5.4MEDIUM

Key Information:

Vendor: Osticket
Status: Osticket
Vendor: CVE Published:; 26 August 2020

What is CVE-2020-16193?

The osTicket platform prior to version 1.14.3 is susceptible to a Cross-Site Scripting (XSS) vulnerability due to an unvalidated output in the include/staff/banrule.inc.php file. Specifically, the line of code that echoes the $info['notes'] variable does not perform adequate input validation, allowing malicious actors to inject arbitrary scripts. This vulnerability can potentially be exploited by attackers to execute harmful scripts in the context of an authenticated user's session, leading to unauthorized actions or data leakage.

References

https://github.com/osTicket/osTicket/blob/develop/include...

x_refsource_MISC

https://github.com/osTicket/osTicket/pull/5616/commits/fb...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 26, 2020
Vulnerability Reserved
Jul 31, 2020

CVE-2020-16193 Data

JSON

Osticket

What is CVE-2020-16193?

References

CVSS V3.1

Timeline