osTicket Arbitrary File Read Vulnerability in PDF Export Functionality

A vulnerability allowing arbitrary file read has been identified in osTicket versions through 1.18.2. This issue arises in the ticket PDF export feature, where a remote attacker can submit a ticket with specially crafted rich-text HTML that includes PHP filter expressions. These expressions are not properly sanitized before being processed by the mPDF PDF generator during the export. As a result, the exported PDF can embed contents from attacker-selected files on the server filesystem as bitmap images. This exploitation allows the disclosure of sensitive local files, viewed in the context of the osTicket application user. The vulnerability is exploitable in default configurations that permit guests to create tickets and access ticket status, or where self-registration is enabled.

Impact

Exploitation of this vulnerability could lead to unauthorized access and disclosure of sensitive files from the server filesystem, potentially including confidential information or application-related data.