Description

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.

Remediation

References

CVE-2019-14750

Related Vulnerabilities

Mailman Other Vulnerability (CVE-2006-2191)

MySQL CVE-2019-2967 Vulnerability (CVE-2019-2967)

OpenSSL Observable Discrepancy Vulnerability (CVE-2022-4304)

Oracle JRE Incorrect Conversion between Numeric Types Vulnerability (CVE-2022-34169)

OpenSSL Improper Input Validation Vulnerability (CVE-2017-3733)

Severity

Medium

Classification

CVE-2019-14750 CWE-707 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities