Session Fixation Vulnerability in osTicket by osTicket Developers
CVE-2022-31888

8.8HIGH

Key Information:

Vendor: Enhancesoft
Status: Osticket
Vendor: CVE Published:; 5 April 2023

🔔 Create Enhancesoft Vulnerability Alert

What is CVE-2022-31888?

A session fixation vulnerability exists in osTicket's login function (located in class.auth.php) through version 1.16.2. This flaw allows an attacker to hijack a user's session by forcing the user to authenticate with a predetermined session ID, leading to unauthorized access to the application. Users are encouraged to update to osTicket version 1.16.3 or later to mitigate this risk.

References

https://github.com/osTicket/osTicket/releases/tag/v1.16.3

https://github.com/osTicket/osTicket/commit/85a76f403a3a1...

https://checkmarx.com/blog/securing-open-source-solutions...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 5, 2023
Vulnerability Reserved
May 31, 2022

CVE-2022-31888 Data

JSON