CVE-2019-11537

Name of the Vulnerable Software and Affected Versions osTicket versions prior to 1.12

Description The issue exists due to the possibility of XSS via several API endpoints, including "/upload/file.php", "/upload/scp/users.php?do=import-users", and "/upload/scp/ajax.php/users/import", when an agent manager user uploads a crafted .csv file to the User Importer. This occurs because file contents can appear in an error message, potentially leading to local file inclusion.

Recommendations For versions prior to 1.12, update to version 1.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the User Importer feature to minimize the risk of exploitation. Avoid using the User Importer to upload .csv files from untrusted sources until the issue is resolved.