CVE-2019-14750 PoC — Enhancesoft osTicket 跨站脚本漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-14750.yaml

Associated Vulnerability

Title:Enhancesoft osTicket 跨站脚本漏洞 (CVE-2019-14750)
Description:Enhancesoft osTicket是美国Enhancesoft公司的一套开源的票务系统。 Enhancesoft osTicket 1.10.7之前版本和1.12.1之前的1.12.x版本中的setup/install.php文件存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。

Description

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.

File Snapshot


 id: CVE-2019-14750

info:
  name: osTicket < 1.12.1 - Cross-Site Scripting
  author: TenBird
  sever

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!