vendor:
osTicket
by:
7.5
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: osTicket
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
osTicket Remote Command Execution Vulnerability
osTicket is prone to a remote command execution vulnerability. Attachments submitted as part of a support ticket request are stored with a predictable name in a known web accessible location. An attacker can exploit this vulnerability by submitting a malicious attachment and executing arbitrary commands on the affected system.
Mitigation:
To mitigate this vulnerability, ensure that attachments are properly sanitized and stored with unpredictable names. Additionally, consider implementing access controls to limit public access to attachment directories.