CVE-2022-32074

MEDIUM

osTicket-plugins - Storage-FS < 2022-05-19 - Stored Cross-Site Scripting via SVG File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-32074. PoCs published by reewardius.

AI-analyzed exploit summary The repository lacks functional exploit code and instead provides vague instructions with external image links, resembling a social engineering lure rather than a legitimate PoC.

Description

A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.

Exploits (1)

nomisec SUSPICIOUS

by reewardius · poc

https://github.com/reewardius/CVE-2022-32074

View Code ZIP pw:eip

The repository lacks functional exploit code and instead provides vague instructions with external image links, resembling a social engineering lure rather than a legitimate PoC.

Classification

Suspicious 90%

Attack Type

Xss

Complexity

Theoretical

Reliability

Theoretical

Target: osTicket Support Ticketing System

No auth needed

Prerequisites: Access to file upload directory

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

https://owasp.org/www-community/attacks/xss/

Product, Third Party Advisory x_refsource_misc

https://github.com/osTicket/osTicket-plugins

View Writeup ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://github.com/osTicket/osTicket-plugins/commit/a7842d494889fd5533d13deb3c6a7789768795ae

View Patch ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0123

EPSS Percentile 65.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

osticket/osticket < 2022-05-19

Published Jul 13, 2022

Tracked Since Feb 18, 2026