Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable AJAX endpoint with low complexity, requires a valid low-privilege account (PR:L), unauthorized ticket read gives high confidentiality impact with no integrity or availability effect.
Primary rating from Vendor (Fluid Attacks).
CVSS VectorVendor: Fluid Attacks
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem.
AnalysisAI
Unauthorized ticket data disclosure in osTicket v1.18.3 and v1.17.7 allows an authenticated low-privilege user to access tickets belonging to other users by manipulating object identifiers in the AJAX ticket-management endpoints. The flaw stems from missing per-object authorization checks (BOLA/IDOR) rather than a coding error in the request handler. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid authenticated osTicket session (CVSS PR:L) - the flaw is reachable only after login, not by anonymous users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) describes a network-reachable, low-complexity attack requiring low privileges and no user interaction, with high confidentiality impact but no integrity or availability impact - consistent with unauthorized read of other users' tickets. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a low-privilege osTicket account, opens their own ticket, and observes the object identifier used by the AJAX ticket-management calls. By incrementing or substituting that identifier in subsequent requests, they retrieve tickets belonging to other users, potentially harvesting sensitive support conversations, PII, or credentials pasted into tickets. … |
| Remediation | Vendor-released patch: upgrade to osTicket v1.18.4 (for the 1.18.x branch) or v1.17.8 (for the 1.17.x branch), both available as tagged GitHub releases (https://github.com/osTicket/osTicket/releases/tag/v1.18.4 and https://github.com/osTicket/osTicket/releases/tag/v1.17.8); the v1.18.4 notes bundle the June 2026 security patch set. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all osTicket deployments and identify which systems run versions 1.18.3 or 1.17.7, prioritizing instances containing sensitive customer data. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning. Rate
osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. Rated critical severity (CVSS 9
Arbitrary local file read in Enhancesoft osTicket 1.18.x (before 1.18.3) and 1.17.x (before 1.17.7) lets a remote unauth
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Rated high severity (CVSS 8.8), this vulnera
In osTicket before 1.10.1, SQL injection is possible by constructing an array via use of square brackets at the end of a
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Rated medium severity (CVSS 6.1), this vulne
Enhancesoft osTicket before 1.10.2 allows remote attackers to reset arbitrary passwords (when an associated e-mail addre
A denial of service attack might be launched against the server if an unusually lengthy password (more than 10000000 cha
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows authenticate
In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.ph
Cross-site scripting (XSS) vulnerability in /scp/index.php in Enhancesoft osTicket before 1.10.2 allows remote attackers
Cross-site scripting (XSS) vulnerability in /scp/directory.php in Enhancesoft osTicket before 1.10.2 allows remote attac
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45186