CVE-2019-11537

MEDIUM

osTicket < 1.12 - Cross-Site Scripting via User Importer CSV File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-11537. PoCs published by AkkuS.

AI-analyzed exploit summary This exploit demonstrates a chained vulnerability in osTicket v1.11, where an XSS vulnerability in the 'Import' field on the Agent Panel is leveraged to achieve Local File Inclusion (LFI). The attacker uploads a malicious JavaScript file that reads local files (e.g., /etc/passwd) and exfiltrates their contents to an attacker-controlled server.

Description

In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.php/users/import if an agent manager user uploads a crafted .csv file to the User Importer, because file contents can appear in an error message. The XSS can lead to local file inclusion.

Exploits (1)

exploitdb WORKING POC VERIFIED
by AkkuS · textwebappsphp
https://www.exploit-db.com/exploits/46753

This exploit demonstrates a chained vulnerability in osTicket v1.11, where an XSS vulnerability in the 'Import' field on the Agent Panel is leveraged to achieve Local File Inclusion (LFI). The attacker uploads a malicious JavaScript file that reads local files (e.g., /etc/passwd) and exfiltrates their contents to an attacker-controlled server.

Classification
Working Poc 95%
Attack Type
Xss, Lfi
Complexity
Moderate
Reliability
Reliable
Target: osTicket v1.11
Auth required
Prerequisites: Access to the Agent Panel in osTicket · Ability to upload a malicious JavaScript file · Victim interaction to trigger the XSS payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46753/
Third Party Advisory x_refsource_misc
https://github.com/osTicket/osTicket/pull/4869
Exploit, Third Party Advisory x_refsource_misc
https://pentest.com.tr/exploits/osTicket-v1-11-XSS-to-LFI.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/46753
Third Party Advisory x_refsource_misc
https://github.com/osTicket/osTicket/releases/tag/v1.12

Scores

CVSS v3 6.1
EPSS 0.0462
EPSS Percentile 90.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
osticket/osticket < 1.12
Published Apr 25, 2019
Tracked Since Feb 18, 2026