CVE-2017-15362

Source
https://cve.org/CVERecord?id=CVE-2017-15362
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-15362.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-15362
Published
2017-10-16T01:29:00.997Z
Modified
2026-07-08T12:05:38.388537Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

osTicket 1.10.1 allows arbitrary client-side JavaScript code execution on victims who click a crafted support/scp/tickets.php?status= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication channels, etc. The vulnerability is present after login into the application. This affects a different tickets.php file than CVE-2015-1176.

References

Affected packages

Git / github.com/osticket/osticket

Affected ranges

Type
GIT
Repo
https://github.com/osticket/osticket
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:osticket:osticket:1.10.1:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.10.1"
        },
        {
            "last_affected": "1.10.1"
        }
    ]
}

Affected versions

1.*
1.10.1
v1.*
v1.10.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-15362.json"