Cross Site Scripting Vulnerability in osTicket Plugins by osTicket
CVE-2022-31889

6.1MEDIUM

Key Information:

Vendor: Enhancesoft
Status: Audit Log
Vendor: CVE Published:; 5 April 2023

🔔 Create Enhancesoft Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-31889?

A Cross Site Scripting (XSS) vulnerability exists in the osTicket plugins due to inadequate validation of user input in the auditlogs template file. This flaw can enable attackers to inject malicious scripts into web pages viewed by other users, compromising session security and allowing unauthorized actions. Proper input sanitization measures are essential to mitigate this risk and protect the integrity of user interactions within the system.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-31889
Created by reewardius

References

https://github.com/osTicket/osTicket-plugins/commit/047a1...

https://checkmarx.com/blog/securing-open-source-solutions...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 5, 2023
🟡
Public PoC available
Feb 18, 2023
👾
Exploit known to exist
Feb 18, 2023
Vulnerability Reserved
May 31, 2022

CVE-2022-31889 Data

JSON