Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application’s immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user’s browser in the context of that user’s session with the application.
In this specific case, following agent authentication and regardless of administrative privileges, it’s possible to navigate the advanced ticket search functionality from scp/tickets.php
. It presents a drop-down list of searches defined as options by some integers, used as incremental numeric identifiers, correlated to the parent_id
and pid
GET parameters.
By closing the <input>
tag that expects the above-mentioned integer in reference to the selected parent_id
or pid
, it’s possible to insert javascript content, which can be used to make the victim user execute malicious client-side code.
parent_id
GET parameter):http://<TARGET>/osTicket/scp/ajax.php/tickets/search?parent_id=1"><svg/x=">"/onload=confirm()//
pid
GET parameter):http://<TARGET>/osTicket/scp/ajax.php/tickets/search/create?pid=adhoc%2cpdXBTnfSg0riebm%22%3e%3cscript%3ealert(1)%3c%2fscript%3etgghb