cbcvebase.
CVE-2021-45811
published 2023-09-08

CVE-2021-45811: A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows authenticated attackers to execute arbitrary SQL…

PriorityP349medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
2.81%
84.7th percentile
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.

Affected

1 ranges
VendorProductVersion rangeFixed in
enhancesoftosticket1.15 – 1.15.8

Detection & IOCsextracted from sources · hover to see the quote

url/tickets.php?a=search&keywords=text'+:1&topic_id=topic_id_val
path/tickets.php
  • The SQLi payload is delivered via the 'keywords' and 'topic_id' URL parameters on tickets.php?a=search — monitor GET requests to this endpoint with anomalous values such as single quotes or arithmetic expressions in these parameters
  • Extract the CSRF token from the login page body using the pattern '__CSRFToken__" value="(.*?)"' before the attack sequence — a two-step flow (login then SQLi) is characteristic of this exploit chain
  • Shodan/FOFA fingerprint for exposed osTicket instances: search for title:"osTicket" (Shodan) or title="osticket" (FOFA) to identify attack surface
  • ·Exploitation requires prior authentication — the attacker must successfully log in via /scp/login.php before the SQLi request to /tickets.php is issued
  • ·The vulnerability is version-scoped to osTicket 1.15.x only; detections should be tuned to confirmed affected version ranges
  • ·The exploit is a two-step HTTP flow: step 1 fetches the CSRF token from the login page, step 2 authenticates and then fires the SQLi — single-request detections will miss the full chain
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.