Stored Cross-Site Scripting in osTicket by Enhancesoft
CVE-2023-27149

4.8MEDIUM

Key Information:

Vendor: Enhancesoft
Status: Osticket
Vendor: CVE Published:; 23 October 2023

🔔 Create Enhancesoft Vulnerability Alert

What is CVE-2023-27149?

The vulnerability in osTicket v1.17.2 enables an attacker to leverage a stored cross-site scripting flaw, allowing the execution of arbitrary web scripts. This can occur when a malicious payload is injected into the Label input parameter during updates to a custom list. Consequently, if exploited, this vulnerability could allow attackers to manipulate or compromise user sessions and potentially lead to unauthorized access. Organizations using osTicket should prioritize assessing this vulnerability to secure their web applications.

References

https://www.esecforte.com/cve-2023-27149-osticket_xss/

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 23, 2023
Vulnerability Reserved
Feb 27, 2023

CVE-2023-27149 Data

JSON