VYPR
Medium severity6.1NVD Advisory· Published Oct 16, 2017· Updated Jun 17, 2026

CVE-2017-15362

CVE-2017-15362

Description

osTicket 1.10.1 allows arbitrary client-side JavaScript code execution on victims who click a crafted support/scp/tickets.php?status= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application. This affects a different tickets.php file than CVE-2015-1176.

Affected products

2
  • Osticket/Osticket2 versions
    cpe:2.3:a:osticket:osticket:1.10.1:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:osticket:osticket:1.10.1:*:*:*:*:*:*:*
    • (no CPE)range: =1.10.1

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.