Below function attach() accepts the file without validating it. Which allows a user to upload an attacker to upload any arbitrary file.
Function download() fetches the file along the mentioned headers. In the below code snippet, the disposition is passed to the download function and in case of an SVG inline is passed instead of default value attachment.
Proof of Concept
As the Content-Disposition for SVG is inline the file is rendered by the browser instead of downloading it.
Additionally, Cookie is not marked HttpOnly as discussed previously. This can allow an attacker to fetch the session cookie of a user.
The ticket is accessible by admin and thus after clicking on the file the SVG is rendered on the browser and the admin user’s session is compromised.
Vendor Confirmed: Yes
Solution: Update to the latest version
Fixed Version: 1.10.2 or later.
Vendor URL: https://osticket.com/