Cross site scripting in OsTicket (CVE-2020-24917)
Cross site scripting in osTicket (CVE CVE-2020-24917) Heading link
A cross site scripting vulnerability is present in OsTicket before version 1.14.3
The vulnerability was found automatically by the NAVEX project, in the file ajax.draft.php, inside the function _uploadInlineImage().
Here’s the vulnerable code snippet (non relevant lines have been omitted for clarity):
$file = AttachmentFile::format($_FILES['file']); $ids = $draft->attachments->upload($file); $id = (is_array($ids)) ? $ids[0] : $ids; if (!($f = AttachmentFile::lookup($id))) return Http::response(500, 'Unable to attach image'); echo JsonDataEncoder::encode(array( $f->getName() => array( 'content_id' => 'cid:'.$f->getKey(), 'id' => $f->getKey(), // Return draft_id to connect the auto draft creation 'draft_id' => $draft->getId(), 'url' => $f->getDownloadUrl( ['type' => 'D', 'deposition' => 'inline']), )));
This endpoint is meant to be called by Javascript code in the frontend when a file is uploaded via the Javascript text editor, and returns a JSON with some information on the uploaded file.
However, the name of the uploaded file (which is user-controlled) is reflected back into the echoed JSON.
This combined with an insufficient CSRF protection, and the lack of a Content-type header in this endpoint, allow an attacker to execute arbitrary JS code in a victim’s browser.
We contacted the developers which responded immediately, and fixed the vulnerability very soon after disclosure, in release 1.14.3