osTicket v1.18.3 - v1,17.7 - BOLA/IDOR in ticket field viewing allows cross-department data disclosure

7,1

High

Discovered by

Juan Felipe Osorio Z

External researcher

Summary

Full name

osTicket v1.18.3 - v1.17.7 - BOLA/IDOR in ticket field viewing allows cross-department data disclosure

Code name

State

Public

Release date

Affected product

osTicket

Vendor

osTicket

Affected version(s)

v1.18.3 - v.1.17.7

Fixed version(s)

v1.18.4 - v.1.17.8

Vulnerability name

Improper authorization control for web services

Remotely exploitable

Yes

CVSS v4.0 vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS v4.0 base score

7.1

Exploit available

Yes

Description

osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) in the AJAX ticket-management subsystem. The vulnerable viewField() method in include/ajax.tickets.php retrieves a ticket and checks that the requested field exists, but does not verify that the authenticated agent is authorized to access the parent ticket.

Consequently, a low-privileged agent assigned only to one department can request fields from tickets in another department. The affected endpoint is:

GET /scp/ajax.php/tickets/{ticket_id}/field/{field_id}/view
GET /scp/ajax.php/tickets/{ticket_id}/field/{field_id}/view
GET /scp/ajax.php/tickets/{ticket_id}/field/{field_id}/view
GET /scp/ajax.php/tickets/{ticket_id}/field/{field_id}/view

The report identifies the vulnerable code at viewField() lines 805-806. The ticket_id and field_id parameters are user-controlled; sequential values enable practical enumeration when the agent can make authenticated requests.

Vulnerability

Root cause

The authorization boundary is missing from the read path:

  1. viewField() obtains the ticket represented by ticket_id and resolves the requested field_id.

  2. It returns the field data without invoking $ticket->checkStaffPerm($thisstaff).

  3. An authenticated agent can therefore access a ticket field without passing the department-level permission check for that ticket.

The neighboring editField() method implements the expected control:

When the check fails, osTicket returns HTTP 403 Permission denied. The omission from viewField() is what permits an unauthorized request to receive HTTP 200 and the ticket field content.

PoC

Preconditions

  • A vulnerable osTicket instance.

  • Two isolated departments, for example Dept-A and Dept-B.

  • A low-privileged agent assigned only to Dept-A.

  • A ticket in Dept-B containing a field the Dept-A agent is not allowed to view.

Reproduction

  1. Configure the exploit.py with the osTicket base URL, the Dept-A agent credentials, and the target ticket and field IDs.

  2. Run the script:

  3. The script authenticates at /scp/login.php, obtains the CSRF token, and sends:

    GET /scp/ajax.php/tickets/<Dept-B-ticket-id>/field/<field-id>
    GET /scp/ajax.php/tickets/<Dept-B-ticket-id>/field/<field-id>
    GET /scp/ajax.php/tickets/<Dept-B-ticket-id>/field/<field-id>
    GET /scp/ajax.php/tickets/<Dept-B-ticket-id>/field/<field-id>
  4. On an affected version, the server responds with HTTP 200 and returns the restricted field data. On a patched version, the same cross-department request returns HTTP 403.

The PoC can also enumerate a small supplied list of field IDs after confirming the initial unauthorized read.

Evidence of Exploitation

  • Video of exploitation:


Our security policy

We have reserved the ID CVE-2026-14871 to refer to this issue from now on.

Disclosure policy

System Information

  • osTicket

  • Versions: v1.18.3 and v1.17.7

  • Operating System: Any deployment running the affected osTicket versions.

References

Mitigation

An updated version of osTicket is available at the vendor page.

Credits

The vulnerability was discovered by Juan Felipe Osorio Z, an independent security researcher.

Timeline

Vulnerability discovered

Vendor contacted

Vendor replied

Vendor confirmed

Vulnerability patched

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Consulta IA sobre Fluid Attacks

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.