Lucene search
MitreCVELIST:CVE-2019-14748HistoryAug 07, 2019 - 4:38 p.m.
CVE-2019-14748
2019-08-0716:38:58
mitre
www.cve.org
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.
References
Related
packetstorm
packetstorm
osTicket 1.12 File Upload Cross Site Scripting
2019-08-11 00:00:00
nvd
nvd
CVE-2019-14748
2019-08-07 17:15:12
zdt
zdt
cve
cve
CVE-2019-14748
2019-08-07 17:15:12
exploitpack
exploitpack
osTicket 1.12 - Persistent Cross-Site Scripting via File Upload
2019-08-12 00:00:00
osv
osv
CVE-2019-14748
2019-08-07 17:15:12
prion
prion
Unrestricted file upload
2019-08-07 17:15:00
exploitdb
exploitdb
osTicket 1.12 - Persistent Cross-Site Scripting via File Upload
2019-08-12 00:00:00
openvas
openvas
osTicket < 1.10.7, 1.12.x < 1.12.1 Multiple Vulnerabilities
2019-08-09 00:00:00