Description

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.

Remediation

References

CVE-2019-14750

Related Vulnerabilities

PostgreSQL Other Vulnerability (CVE-2006-0678)

WordPress Plugin W3 Total Cache PHP Code Injection (0.9.2.8)

Drupal Core 8.6.x Cross-Site Scripting (8.6.0 - 8.6.14)

WordPress Plugin Resume Submissions & Job Postings Cross-Site Scripting (2.5.3)

Drupal Core 4.7.x Multiple Cross-Site Scripting Vulnerabilities (4.7.0 - 4.7.6)

Severity

Medium

Classification

CVE-2019-14750 CWE-707 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities