Volerion logoVolerion
Volerion logoVolerion

osTicket Broken Access Control Vulnerability in AJAX Functions

Vulnerability

A broken access control vulnerability has been identified in osTicket versions prior to 1.17.6 and 1.18.2. The issue resides in the AJAX functions of the system, where normal agents may gain unauthorized access to system logs. This vulnerability allows for additional access issues through AJAX content.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive system logs via the AJAX interface, potentially allowing normal agents to view information they should not have access to.

Reproduction

To reproduce this vulnerability, log into osTicket as a normal agent. Navigate to the AJAX functions that handle syslog management. Attempt to access system logs through these functions. The absence of proper access controls will allow unauthorized log access.

Remediation

Users can upgrade to osTicket versions 1.17.6 or 1.18.2, where this vulnerability has been addressed.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
0.6
exploitability
6.4
remediation
7.7
relevance
0.2
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.