Skip to main content

CWE-38

Path Traversal: '\absolute\pathname\here'

1 CVEs Avg CVSS 5.1 MITRE
0
CRITICAL
0
HIGH
1
MEDIUM
0
LOW
0
POC
0
KEV

Monthly

CVE-2026-9507 MEDIUM PATCH This Month

Session fixation in osTicket v1.18.2 enables remote attackers to hijack authenticated user accounts by pre-seeding a known OSTSESSID cookie before the victim logs in. The application fails to invalidate or regenerate the session identifier upon successful authentication, so an attacker who plants a known token in the victim's browser retains access to that session once the victim authenticates. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.1 (Medium) reflects limited per-account impact and a mandatory victim-interaction prerequisite.

Information Disclosure Osticket
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Session fixation in osTicket v1.18.2 enables remote attackers to hijack authenticated user accounts by pre-seeding a known OSTSESSID cookie before the victim logs in. The application fails to invalidate or regenerate the session identifier upon successful authentication, so an attacker who plants a known token in the victim's browser retains access to that session once the victim authenticates. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.1 (Medium) reflects limited per-account impact and a mandatory victim-interaction prerequisite.

Information Disclosure Osticket
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy