Description

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application’s immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user’s browser in the context of that user’s session with the application.

In this specific case, that actually follows the same logic and impact of the CVE-2022-4271 previously reported in Reflected XSS in Username in osticket/osticket, by querying for any existing organization’s name, such as the default one, namely “osTicket”, on scp/ajax.php/orgs/search and using the q GET parameter, it’s possible to inject arbitrary javascript content, which can be used to make the victim user execute malicious client-side code.

Proof of Concept

http://<TARGET>/osTicket/scp/ajax.php/orgs/search?q=osTicket%3Cimg%20src%3da%20onerror%3dalert(1337)%3E