OSTicket Support Cards View.PHP Cross-Site Scripting Vulnerability

Bugtraq ID:	21669
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Dec 19 2006 12:00AM
Updated:	Dec 19 2006 09:32PM
Credit:	Hacker CooL is credited with the discovery of this vulnerability.
Vulnerable:	osTicket osTicket STS 1.3 beta osTicket osTicket STS 1.2.7
Not Vulnerable:

OSTicket Support Cards View.PHP Cross-Site Scripting Vulnerability

osTicket Support Cards is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

OSTicket Support Cards View.PHP Cross-Site Scripting Vulnerability

An attacker can exploit this issue with a web client.

The following proof-of-concept URIs are available:

• /data/vulnerabilities/exploits/21661.html

OSTicket Support Cards View.PHP Cross-Site Scripting Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].

OSTicket Support Cards View.PHP Cross-Site Scripting Vulnerability

References:

• osTicket Homepage (osTicket)
  
• xss in Support Cards v1 ( oSTicket ) ([email protected])