Description
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.
Remediation
References
Related Vulnerabilities
Drupal Core 4.5.x Cross-Site Scripting (4.5.0 - 4.5.5)
WordPress Plugin Qiniu Cloudtuchuang Cross-Site Scripting (1.8)
Jenkins Other Vulnerability (CVE-2021-21696)
CubeCart Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-38130)
WordPress Plugin Cardinity Payment Gateway for WooCommerce Cross-Site Scripting (3.0.6)