Osticket
by Osticket
Source repositories
CVEs (60)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-2361 | 0.03 | — | 0.05 | Jul 8, 2009 | SQL injection vulnerability in include/class.staff.php in osTicket before 1.6 RC5 allows remote attackers to execute arbitrary SQL commands via the staff username parameter. | |||
| CVE-2006-6733 | 0.03 | — | 0.01 | Dec 26, 2006 | Cross-site scripting (XSS) vulnerability in support/view.php in Support Cards 1 (osTicket) allows remote attackers to inject arbitrary web script or HTML via the e parameter. | |||
| CVE-2005-2154 | 0.03 | — | 0.02 | Jul 6, 2005 | PHP local file inclusion vulnerability in (1) view.php and (2) open.php in osTicket 1.3.1 beta and earlier allows remote attackers to include and possibly execute arbitrary local files via the inc parameter. | |||
| CVE-2025-45387 | 0.00 | — | 0.00 | Jun 2, 2025 | osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php. | |||
| CVE-2025-26241 | 0.00 | — | 0.00 | May 5, 2025 | A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination. | |||
| CVE-2023-46967 | 0.00 | — | 0.00 | Feb 20, 2024 | Cross Site Scripting vulnerability in the sanitize function in Enhancesoft osTicket 1.18.0 allows a remote attacker to escalate privileges via a crafted support ticket. | |||
| CVE-2023-27149 | 0.00 | — | 0.00 | Oct 23, 2023 | A stored cross-site scripting (XSS) vulnerability in Enhancesoft osTicket v1.17.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Label input parameter when updating a custom list. | |||
| CVE-2023-27148 | 0.00 | — | 0.00 | Oct 23, 2023 | A stored cross-site scripting (XSS) vulnerability in the Admin panel in Enhancesoft osTicket v1.17.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Role Name parameter. | |||
| CVE-2023-30082 | 0.00 | — | 0.01 | Jun 14, 2023 | A denial of service attack might be launched against the server if an unusually lengthy password (more than 10000000 characters) is supplied using the osTicket application. This can cause the website to go down or stop responding. When a long password is entered, this procedure… | |||
| CVE-2022-31890 | 0.00 | — | 0.01 | Apr 5, 2023 | SQL Injection vulnerability in audit/class.audit.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae via the order parameter to the getOrder function. | |||
| CVE-2022-31889 | 0.00 | — | 0.01 | Apr 5, 2023 | Cross Site Scripting (XSS) vulnerability in audit/templates/auditlogs.tmpl.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae. | |||
| CVE-2022-31888 | 0.00 | — | 0.01 | Apr 5, 2023 | Session Fixation vulnerability in in function login in class.auth.php in osTicket through 1.16.2. | |||
| CVE-2023-1316 | 0.00 | — | 0.01 | Mar 10, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6. | |||
| CVE-2023-1315 | 0.00 | — | 0.01 | Mar 10, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6. | |||
| CVE-2023-1317 | 0.00 | — | 0.01 | Mar 10, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6. | |||
| CVE-2023-1318 | 0.00 | — | 0.01 | Mar 10, 2023 | Cross-site Scripting (XSS) - Generic in GitHub repository osticket/osticket prior to v1.16.6. | |||
| CVE-2023-1319 | 0.00 | — | 0.00 | Mar 10, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6. | |||
| CVE-2023-1320 | 0.00 | — | 0.01 | Mar 10, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6. | |||
| CVE-2022-4271 | 0.00 | — | 0.01 | Dec 2, 2022 | Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to 1.16.4. | |||
| CVE-2022-32074 | 0.00 | — | 0.01 | Jul 13, 2022 | A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file. |
- CVE-2009-2361Jul 8, 2009risk 0.03cvss —epss 0.05
SQL injection vulnerability in include/class.staff.php in osTicket before 1.6 RC5 allows remote attackers to execute arbitrary SQL commands via the staff username parameter.
- CVE-2006-6733Dec 26, 2006risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in support/view.php in Support Cards 1 (osTicket) allows remote attackers to inject arbitrary web script or HTML via the e parameter.
- CVE-2005-2154Jul 6, 2005risk 0.03cvss —epss 0.02
PHP local file inclusion vulnerability in (1) view.php and (2) open.php in osTicket 1.3.1 beta and earlier allows remote attackers to include and possibly execute arbitrary local files via the inc parameter.
- CVE-2025-45387Jun 2, 2025risk 0.00cvss —epss 0.00
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
- CVE-2025-26241May 5, 2025risk 0.00cvss —epss 0.00
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
- CVE-2023-46967Feb 20, 2024risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in the sanitize function in Enhancesoft osTicket 1.18.0 allows a remote attacker to escalate privileges via a crafted support ticket.
- CVE-2023-27149Oct 23, 2023risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in Enhancesoft osTicket v1.17.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Label input parameter when updating a custom list.
- CVE-2023-27148Oct 23, 2023risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Admin panel in Enhancesoft osTicket v1.17.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Role Name parameter.
- CVE-2023-30082Jun 14, 2023risk 0.00cvss —epss 0.01
A denial of service attack might be launched against the server if an unusually lengthy password (more than 10000000 characters) is supplied using the osTicket application. This can cause the website to go down or stop responding. When a long password is entered, this procedure…
- CVE-2022-31890Apr 5, 2023risk 0.00cvss —epss 0.01
SQL Injection vulnerability in audit/class.audit.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae via the order parameter to the getOrder function.
- CVE-2022-31889Apr 5, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in audit/templates/auditlogs.tmpl.php in osTicket osTicket-plugins before commit a7842d494889fd5533d13deb3c6a7789768795ae.
- CVE-2022-31888Apr 5, 2023risk 0.00cvss —epss 0.01
Session Fixation vulnerability in in function login in class.auth.php in osTicket through 1.16.2.
- CVE-2023-1316Mar 10, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6.
- CVE-2023-1315Mar 10, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6.
- CVE-2023-1317Mar 10, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6.
- CVE-2023-1318Mar 10, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository osticket/osticket prior to v1.16.6.
- CVE-2023-1319Mar 10, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6.
- CVE-2023-1320Mar 10, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository osticket/osticket prior to v1.16.6.
- CVE-2022-4271Dec 2, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to 1.16.4.
- CVE-2022-32074Jul 13, 2022risk 0.00cvss —epss 0.01
A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.
Page 2 of 3