CVE-2023-46967 - Cross Site Scripting Vulnerability in Enhancesoft osTicket 1.18. Results in Privilege Escalation

A recently discovered Cross Site Scripting (XSS) vulnerability in Enhancesoft osTicket 1.18. allows remote attackers to escalate privileges through a specially crafted support ticket. This can have severe implications for organizations using osTicket as their helpdesk solution. A remote attacker could leverage this vulnerability to perform unauthorized actions, leading to potential data breaches and loss of sensitive information.

Vulnerability Details

Exploitation of this vulnerability requires an attacker to create a specially manipulated support ticket, which in turn will exploit the vulnerable "sanitize" function of osTicket 1.18..

The key issue lies in the improper sanitization of user input, allowing a malicious user to inject JavaScript code that will be executed when an administrator or support agent reviews the ticket. This could allow attackers to hijack sessions, manipulate the system, or steal sensitive data.

Affected Component

The vulnerability exists in the "sanitize()" function of Enhancesoft osTicket 1.18., which is responsible for sanitizing user input before storing it in the system or displaying it to other users.

Proof of Concept

The following code snippet demonstrates the weak point in the "sanitize()" function that leads to the vulnerability:

function sanitize($input) {
    // Perform sanitization to remove HTML tags and other dangerous content.
    $clean_input = strip_tags($input);

    return $clean_input;
}

This function fails to properly filter user input, as it only removes HTML tags. An attacker can insert a piece of JavaScript code enclosed in an HTML attribute, like the following:

<img src="x" onerror="alert('XSS found!')" />

When this payload is included in a support ticket, the "sanitize()" function will incorrectly interpret it as safe, allowing the embedded script to execute.

Submit the ticket.

When an administrator or support agent views the ticket, the injected JavaScript code will execute in their browser, allowing the attacker to perform any actions their victims have access to.

Mitigation and Solutions

The enhance's developer team has acknowledged this vulnerability and released a patch in osTicket version 1.18.1 to address the issue. Users are advised to update their osTicket installations as soon as possible to avoid potential exploits.

To apply the patch, follow these steps

1. Download the latest version of osTicket from the official website: (https://osticket.com/download/)

Replace your existing osTicket files with the new version.

4. Run the upgrade script as indicated in the upgrade guide: (https://docs.osticket.com/en/latest/Getting%20Started/Upgrading%20osTicket.html)

References

- Enhancesoft osTicket official website: https://osticket.com/
- osTicket GitHub repository: https://github.com/osTicket/osTicket
- osTicket 1.18.1 release notes: https://github.com/osTicket/osTicket/releases/tag/v1.18.1
- CVE-2023-46967 - National Vulnerability Database entry: https://nvd.nist.gov/vuln/detail/CVE-2023-46967

Timeline

Published on: 02/20/2024 21:15:07 UTC
Last modified on: 02/20/2024 21:52:55 UTC