Osticket
Monthly
Session fixation in osTicket v1.18.2 enables remote attackers to hijack authenticated user accounts by pre-seeding a known OSTSESSID cookie before the victim logs in. The application fails to invalidate or regenerate the session identifier upon successful authentication, so an attacker who plants a known token in the victim's browser retains access to that session once the victim authenticates. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.1 (Medium) reflects limited per-account impact and a mandatory victim-interaction prerequisite.
Arbitrary file disclosure in osTicket 1.18.x before 1.18.3 and 1.17.x before 1.17.7 allows unauthenticated attackers to read sensitive server files by injecting malicious PHP filter expressions into ticket descriptions that are processed during PDF export. The vulnerability exploits insufficient sanitization in the mPDF library integration, enabling attackers to embed arbitrary file contents as images in generated PDFs when exporting tickets. Public exploit code exists and the issue affects default configurations where guest ticket creation is enabled.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Session fixation in osTicket v1.18.2 enables remote attackers to hijack authenticated user accounts by pre-seeding a known OSTSESSID cookie before the victim logs in. The application fails to invalidate or regenerate the session identifier upon successful authentication, so an attacker who plants a known token in the victim's browser retains access to that session once the victim authenticates. No public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.1 (Medium) reflects limited per-account impact and a mandatory victim-interaction prerequisite.
Arbitrary file disclosure in osTicket 1.18.x before 1.18.3 and 1.17.x before 1.17.7 allows unauthenticated attackers to read sensitive server files by injecting malicious PHP filter expressions into ticket descriptions that are processed during PDF export. The vulnerability exploits insufficient sanitization in the mPDF library integration, enabling attackers to embed arbitrary file contents as images in generated PDFs when exporting tickets. Public exploit code exists and the issue affects default configurations where guest ticket creation is enabled.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.