CVE-2017-15362

Name of the Vulnerable Software and Affected Versions osTicket version 1.10.1

Description The issue allows arbitrary client-side JavaScript code execution on victims who click a crafted support/scp/tickets.php?status= link. This can lead to session ID and data theft, bypassing CSRF protections, and injection of iframes to establish communication channels. The issue is present after logging into the application.

Recommendations For osTicket version 1.10.1, consider restricting access to the tickets.php file until a fix is available. As a temporary workaround, avoid using the status parameter in the support/scp/tickets.php link to minimize the risk of exploitation.