3.5

CVE-2010-0606

Exploit
Cross-site scripting (XSS) vulnerability in scp/ajax.php in osTicket before 1.6.0 Stable allows remote authenticated users to inject arbitrary web script or HTML via the f parameter, possibly related to an error message generated by scp/admin.php.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OsticketOsticket Updaterc5 Version <= 1.6
OsticketOsticket Version1
OsticketOsticket Version1.2.7
OsticketOsticket Version1.3.0
OsticketOsticket Version1.6 Updaterc1
OsticketOsticket Version1.6 Updaterc2
OsticketOsticket Version1.6 Updaterc3
OsticketOsticket Version1.6 Updaterc4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.87% 0.54
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://osticket.com/forums/project.php?issueid=176
Patch
http://secunia.com/advisories/38515
Vendor Advisory
http://www.securityfocus.com/bid/38166
http://packetstormsecurity.org/1002-exploits/osTicket-1.6-RC5-ReflectedXSS.pdf
Exploit