Monthly
Session fixation in osTicket v1.18.2 enables remote attackers to hijack authenticated user accounts by pre-seeding a known OSTSESSID cookie before the victim logs in. The application fails to invalidate or regenerate the session identifier upon successful authentication, so an attacker who plants a known token in the victim's browser retains access to that session once the victim authenticates. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.1 (Medium) reflects limited per-account impact and a mandatory victim-interaction prerequisite.
Session fixation in osTicket v1.18.2 enables remote attackers to hijack authenticated user accounts by pre-seeding a known OSTSESSID cookie before the victim logs in. The application fails to invalidate or regenerate the session identifier upon successful authentication, so an attacker who plants a known token in the victim's browser retains access to that session once the victim authenticates. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.1 (Medium) reflects limited per-account impact and a mandatory victim-interaction prerequisite.