CVE-2019-14750

NONE EPSS 95.5%
Published Aug 7, 20196y ago · Modified Jun 17, 20262w ago
Find Similar
Published Aug 7, 2019 6y ago
Last Modified Jun 17, 2026 2w ago

Description

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.

Threat Intelligence

EPSS Exploit Probability
95.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 2

VendorProductVersionRange
osticketosticket* <1.10.7
osticketosticket*≥1.12  –  <1.12.1

References 5

  • packetstormsecurity.com http://packetstormsecurity.com/files/154005/osTicket-1.12-Cross-Site-Scripting.html
    Third Party AdvisoryVDB Entry
  • github.com https://github.com/osTicket/osTicket/commit/c3ba5b78261e07a883ad8fac28c214486c854e12
    PatchThird Party Advisory
  • github.com https://github.com/osTicket/osTicket/releases/tag/v1.10.7
    Release NotesThird Party Advisory
  • github.com https://github.com/osTicket/osTicket/releases/tag/v1.12.1
    Release NotesThird Party Advisory
  • exploit-db.com https://www.exploit-db.com/exploits/47226
    Third Party AdvisoryVDB Entry

Remediation

  • github.com https://github.com/osTicket/osTicket/commit/c3ba5b78261e07a883ad8fac28c214486c854e12
    PatchThird Party Advisory