A vulnerability in Enhancesoft’s flagship product osTicket could allow an unauthenticated, remote attacker to execute arbitrary JavaScript code to escalate to admin privileges. os Ticket is a widely-used open source support ticket system written in PHP.

The vulnerability resides in the application which allows an attacker to upload any arbitrary file. An attacker cannot execute a malicious PHP file as the file is stored in the database and not in the application server. Instead, malicious SVG can be stored and executed. As SVG is rendered on the same domain and allows javascript the technique can be used to exploit the vulnerability and use the arbitrary file vulnerability to store XSS payload.

os Ticket vulnerabilities anyone to create a support ticket. And while creating a ticket an attacker can upload the malicious SVG as described above. This is accessible by both customers as well as administrators. Once the admin opens the malicious file, the XSS payload is executed at the admin panel which compromises the integrity. An attacker can inject arbitrary HTML and JavaScript code into the website. This would alter the appearance. And since the application doesn't set cookie flags programmatically, an attacker can compromise the administrative user by stealing the cookies using document. cookie

(osTicket) Vulnerable Code

Below function, attach() accepts the file without validating it, which allows a user to upload an attacker to upload any arbitrary file.



Function download() fetches the file along with the mentioned headers. In the below code snippet, the disposition is passed to the download function and in the case of an SVG inline is passed instead of the default value attachment.




Here, session_set_cookie_params lacks the HttpOnly flag, allowing any JavaScript to access the cookie.




Proof of Concept



When creating a new ticket a user can upload images. Since no restriction is implemented on filetype an attacker can upload an arbitrary file, here it is an SVG with malicious JavaScript.



As the Content-Disposition for SVG is inline the file is rendered by the browser instead of downloading it.

Additionally, Cookie is not marked HttpOnly as discussed previously. This can allow an attacker to fetch the session cookie of a user.


The ticket is accessible by admin and thus after clicking on the file the SVG is rendered on the browser and the admin user’s session is compromised.

Vendor Confirmed: Yes

Version: 1.10.1

Solution: Update to the latest version

Fixed Version: 1.10.2 or later.

Vendor URL: https://osticket.com/


Topics: XSS, application security, Vulnerability

Nishaanth Guna

Written by Nishaanth Guna

Lead Security Researcher, Appknox.

Recent Posts