Description
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.
Remediation
References
Related Vulnerabilities
WordPress Plugin ARForms:Wordpress Form Builder Arbitrary File Deletion (3.5.1)
MediaWiki Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2023-45371)
WordPress Plugin Hana Flv Player Cross-Site Scripting (3.1.3)
Plone CMS Other Vulnerability (CVE-2006-4249)
WordPress Plugin Parsian Bank Woocommerce Cross-Site Scripting (1.0)