CVE-2019-14750
NONE EPSS 95.5%
Published Aug 7, 20196y ago · Modified Jun 17, 20262w ago
Published Aug 7, 2019 6y ago
Last Modified Jun 17, 2026 2w ago
Description
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.
Threat Intelligence
EPSS Exploit Probability
95.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 2
References 5
- packetstormsecurity.com http://packetstormsecurity.com/files/154005/osTicket-1.12-Cross-Site-Scripting.html
- github.com https://github.com/osTicket/osTicket/commit/c3ba5b78261e07a883ad8fac28c214486c854e12
- github.com https://github.com/osTicket/osTicket/releases/tag/v1.10.7
- github.com https://github.com/osTicket/osTicket/releases/tag/v1.12.1
- exploit-db.com https://www.exploit-db.com/exploits/47226
Remediation
- github.com https://github.com/osTicket/osTicket/commit/c3ba5b78261e07a883ad8fac28c214486c854e12