osTicket 1.10.1 Unauthenticated Stored XSS allows an attacker to gain admin privileges

CVE Reference: CVE-2019-13397

Description: Upload Functionality in create ticket module of osTicket 1.10.1 allows an attacker to perform Unauthenticated stored XSS.
Application accepts arbitrary file extension while creating a support ticket, which allows an attacker to upload malicious file and execute any JavaScript.
As application doesn't set cookie flags programmatically, an attacker can compromise the administrative user by stealing the cookies using JavaScript.

Impact: It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user. Attacker can redirect the victim or perform other malicious operations on the user's machine.

Proof of Concept:

Create a new ticket and upload a malicious svg.

The malicious svg is executed at customer’s end

The malicious svg is executed at admin panel once malicious file is opened

Vendor Confirmed: Yes

Version: 1.10.1

Solution: Patch in place by the developers

Fixed Version: 1.10.2 or later.

Vendor URL: https://osticket.com/