CVE-2019-14748 - OpenCVE

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Osticket	Osticket

Configuration 1 [-]

OR	cpe:2.3:a:osticket:osticket::::::::
	cpe:2.3:a:osticket:osticket::::::::

References

Link	Resource
http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html	Exploit Third Party Advisory VDB Entry
https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba	Patch Release Notes Third Party Advisory
https://github.com/osTicket/osTicket/releases/tag/v1.10.7	Release Notes Third Party Advisory
https://github.com/osTicket/osTicket/releases/tag/v1.12.1	Third Party Advisory
https://www.exploit-db.com/exploits/47224	Exploit Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-08-07T16:38:58

Updated: 2019-08-13T13:28:48

Reserved: 2019-08-07T00:00:00

Link: CVE-2019-14748

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-08-07T17:15:12.417

Modified: 2019-08-14T15:29:57.277

Link: CVE-2019-14748

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-13T13:28:48", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/osTicket/osTicket/releases/tag/v1.12.1"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/osTicket/osTicket/releases/tag/v1.10.7"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html"}, {"name": "47224", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/47224"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14748", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba", "refsource": "MISC", "url": "https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba"}, {"name": "https://github.com/osTicket/osTicket/releases/tag/v1.12.1", "refsource": "MISC", "url": "https://github.com/osTicket/osTicket/releases/tag/v1.12.1"}, {"name": "https://github.com/osTicket/osTicket/releases/tag/v1.10.7", "refsource": "MISC", "url": "https://github.com/osTicket/osTicket/releases/tag/v1.10.7"}, {"name": "http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html"}, {"name": "47224", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/47224"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14748", "datePublished": "2019-08-07T16:38:58", "dateReserved": "2019-08-07T00:00:00", "dateUpdated": "2019-08-13T13:28:48", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D6B0B54-FE0E-41EB-953D-6A72FFB7B724", "versionEndExcluding": "1.10.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*", "matchCriteriaId": "4874A3A8-A938-4E25-B01A-5366E34B2A28", "versionEndExcluding": "1.12.1", "versionStartIncluding": "1.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment."}, {"lang": "es", "value": "Se detect\u00f3 un problema en osTicket versiones anteriores a 1.10.7 y versiones 1.12.x anteriores a 1.12.1. El formulario de creaci\u00f3n de Ticket permite a los usuarios cargar archivos en conjunto con consultas. Se encontr\u00f3 que la funcionalidad file-upload presenta menos (o ninguna) mitigaciones implementadas para las comprobaciones de contenido de archivos; adem\u00e1s, la salida no se maneja apropiadamente, causando una vulnerabilidad de tipo XSS persistente que conlleva al robo de cookies o acciones maliciosas. Por ejemplo, un usuario que no sea agente puede cargar un archivo .html y Content-Disposition ser\u00e1 ajustado a inline en lugar de attachment."}], "id": "CVE-2019-14748", "lastModified": "2019-08-14T15:29:57.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-07T17:15:12.417", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/154003/osTicket-1.12-File-Upload-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/osTicket/osTicket/commit/33ed106b1602f559a660a69f931a9d873685d1ba"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/osTicket/osTicket/releases/tag/v1.10.7"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/osTicket/osTicket/releases/tag/v1.12.1"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/47224"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}