CVE-2019-14749

Name of the Vulnerable Software and Affected Versions osTicket versions prior to 1.10.7 osTicket versions 1.12.x prior to 1.12.1

Description An issue exists in the export spreadsheets functionality of osTicket, where CSV injection is possible due to unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format, which can be used as input for spreadsheet applications such as Excel and OpenOffice Calc. As a result, the end user who is accessing the exported spreadsheet can be affected. The vulnerability can be exploited by a remote attacker to execute arbitrary code.

Recommendations For osTicket versions prior to 1.10.7, update to version 1.10.7 or later. For osTicket versions 1.12.x prior to 1.12.1, update to version 1.12.1 or later. As a temporary workaround, consider restricting access to the export spreadsheets functionality until a patch is available. Avoid using the Name, Internal Notes, and Issue Summary fields in the affected tabs to minimize the risk of exploitation.