Cross site scripting in OsTicket (CVE-2020-24917)

A cross site scripting vulnerability is present in OsTicket before version 1.14.3

The vulnerability was found automatically by the NAVEX project, in the file ajax.draft.php, inside the function _uploadInlineImage().

Here’s the vulnerable code snippet (non relevant lines have been omitted for clarity):

$file = AttachmentFile::format($_FILES['file']);
$ids = $draft->attachments->upload($file);
$id = (is_array($ids)) ? $ids[0] : $ids;
if (!($f = AttachmentFile::lookup($id)))
    return Http::response(500, 'Unable to attach image');

echo JsonDataEncoder::encode(array(
            $f->getName() => array(
            'content_id' => 'cid:'.$f->getKey(),
            'id' => $f->getKey(),
            // Return draft_id to connect the auto draft creation
            'draft_id' => $draft->getId(),
            'url' => $f->getDownloadUrl(
                ['type' => 'D', 'deposition' => 'inline']),
        )));

This endpoint is meant to be called by Javascript code in the frontend when a file is uploaded via the Javascript text editor, and returns a JSON with some information on the uploaded file.

However, the name of the uploaded file (which is user-controlled) is reflected back into the echoed JSON.

This combined with an insufficient CSRF protection, and the lack of a Content-type header in this endpoint, allow an attacker to execute arbitrary JS code in a victim’s browser.

We contacted the developers which responded immediately, and fixed the vulnerability very soon after disclosure, in release 1.14.3