CVE-2019-14748 - OpenCVE

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Osticket	Osticket

Configuration 1 [-]

OR	cpe:2.3:a:osticket:osticket::::::::
	cpe:2.3:a:osticket:osticket::::::::

No data.

References

Link	Providers
http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html
https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba
https://github.com/osTicket/osTicket/releases/tag/v1.10.7
https://github.com/osTicket/osTicket/releases/tag/v1.12.1
https://www.exploit-db.com/exploits/47224

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-08-07T16:38:58

Updated: 2024-08-05T00:26:38.679Z

Reserved: 2019-08-07T00:00:00

Link: CVE-2019-14748

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-08-07T17:15:12.417

Modified: 2019-08-14T15:29:57.277

Link: CVE-2019-14748

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-13T13:28:48", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/osTicket/osTicket/releases/tag/v1.12.1"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/osTicket/osTicket/releases/tag/v1.10.7"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html"}, {"name": "47224", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/47224"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14748", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba", "refsource": "MISC", "url": "https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba"}, {"name": "https://github.com/osTicket/osTicket/releases/tag/v1.12.1", "refsource": "MISC", "url": "https://github.com/osTicket/osTicket/releases/tag/v1.12.1"}, {"name": "https://github.com/osTicket/osTicket/releases/tag/v1.10.7", "refsource": "MISC", "url": "https://github.com/osTicket/osTicket/releases/tag/v1.10.7"}, {"name": "http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html"}, {"name": "47224", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/47224"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:26:38.679Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/osTicket/osTicket/releases/tag/v1.12.1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/osTicket/osTicket/releases/tag/v1.10.7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html"}, {"name": "47224", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/47224"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14748", "datePublished": "2019-08-07T16:38:58", "dateReserved": "2019-08-07T00:00:00", "dateUpdated": "2024-08-05T00:26:38.679Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D6B0B54-FE0E-41EB-953D-6A72FFB7B724", "versionEndExcluding": "1.10.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*", "matchCriteriaId": "4874A3A8-A938-4E25-B01A-5366E34B2A28", "versionEndExcluding": "1.12.1", "versionStartIncluding": "1.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment."}, {"lang": "es", "value": "Se detect\u00f3 un problema en osTicket versiones anteriores a 1.10.7 y versiones 1.12.x anteriores a 1.12.1. El formulario de creaci\u00f3n de Ticket permite a los usuarios cargar archivos en conjunto con consultas. Se encontr\u00f3 que la funcionalidad file-upload presenta menos (o ninguna) mitigaciones implementadas para las comprobaciones de contenido de archivos; adem\u00e1s, la salida no se maneja apropiadamente, causando una vulnerabilidad de tipo XSS persistente que conlleva al robo de cookies o acciones maliciosas. Por ejemplo, un usuario que no sea agente puede cargar un archivo .html y Content-Disposition ser\u00e1 ajustado a inline en lugar de attachment."}], "id": "CVE-2019-14748", "lastModified": "2019-08-14T15:29:57.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-07T17:15:12.417", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/osTicket/osTicket/releases/tag/v1.10.7"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/osTicket/osTicket/releases/tag/v1.12.1"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/47224"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}