Medium severity6.1NVD Advisory· Published Oct 16, 2017· Updated May 13, 2026

CVE-2017-15362

Description

osTicket 1.10.1 allows arbitrary client-side JavaScript code execution on victims who click a crafted support/scp/tickets.php?status= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application. This affects a different tickets.php file than CVE-2015-1176.

Affected products

Osticket/Osticket
cpe:2.3:a:osticket:osticket:1.10.1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

becomepentester.blogspot.ae/2017/10/osTicket-XSS-CVE-2017-15362.htmlnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000