CVE-2019-14750
CVE-2019-14750
Vexday Risk Score
43Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
Madurez del exploit
Exploit funcional
Exploit automatizable disponible (Nuclei/Metasploit).
CVSS —EPSS 11.7%KEV nãoPoC públicaNuclei simMetasploit —Patch —
Ciclo de vida
07 ago 2019Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.
Productos afectados
n/a · n/aPoCs públicas encontradas — 2
cve_referencepacketstormsecurity.com/files/154005/osTicket-1.12-Cross-Site-Scripting.htmlno verificadocve_referencewww.exploit-db.com/exploits/47226no verificado⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.
Referencias
http://packetstormsecurity.com/files/154005/osTicket-1.12-Cross-Site-Scripting.htmlhttps://github.com/osTicket/osTicket/commit/c3ba5b78261e07a883ad8fac28c214486c854e12https://github.com/osTicket/osTicket/releases/tag/v1.10.7https://github.com/osTicket/osTicket/releases/tag/v1.12.1https://www.exploit-db.com/exploits/47226