CVE-2019-14749 in osTicket
Summary
by MITRE
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/06/2025
The vulnerability identified as CVE-2019-14749 represents a critical CSV injection flaw in the osTicket help desk software affecting versions prior to 1.10.7 and 1.12.1. This vulnerability resides within the export spreadsheet functionality that generates dynamic files from user input data, creating a significant security risk when these files are opened in spreadsheet applications like Microsoft Excel or OpenOffice Calc. The flaw specifically impacts the Name and Internal Notes fields within the Users tab, as well as the Issue Summary field in the tickets tab, where user-provided data flows directly into the exported spreadsheet cells without proper sanitization or validation. The vulnerability stems from the software's failure to properly escape or filter malicious input that could be interpreted as spreadsheet formulas by applications that process these files.
The technical implementation of this vulnerability allows attackers to craft malicious input containing spreadsheet formula syntax that gets executed when the exported file is opened in spreadsheet applications. When users open the maliciously crafted CSV or XLS files, the spreadsheet applications interpret the formula strings as actual commands, potentially leading to arbitrary code execution, data exfiltration, or system compromise. This behavior aligns with the common pattern of CSV injection attacks where malicious formula strings like "=cmd|' /C calc'!A0" can be executed when the file is opened, leveraging the inherent trust that spreadsheet applications place in their input data. The vulnerability is particularly dangerous because it operates at the intersection of data processing and application execution, where user input flows directly into executable code within spreadsheet environments.
The operational impact of this vulnerability extends beyond simple data corruption or unauthorized access, as it creates a vector for more sophisticated attacks targeting the end users who interact with the exported data. Attackers can exploit this vulnerability to deliver malware, steal credentials, or gain unauthorized access to systems by leveraging the trust relationship between spreadsheet applications and their input data. The vulnerability affects all agents who have access to export functionality and can potentially impact any user who opens the maliciously crafted export files, making it particularly dangerous in enterprise environments where multiple users interact with help desk data. The attack surface is broadened because the vulnerability can be exploited through legitimate administrative functions, making detection more difficult and increasing the likelihood of successful exploitation.
Organizations should implement immediate mitigations including updating to the patched versions of osTicket, implementing input validation and sanitization for all user-provided data that flows into export functionality, and educating users about the risks of opening untrusted spreadsheet files. The vulnerability can be classified under CWE-1236, which addresses the improper neutralization of special elements used in spreadsheet formulas, and aligns with ATT&CK technique T1059.006 for execution through command and scripting interpreter. Security controls should focus on implementing proper data sanitization at the point of export, using CSV escaping techniques, and potentially disabling automatic formula execution in spreadsheet applications. Additionally, organizations should consider implementing network segmentation and access controls to limit who can export data, and establish procedures for verifying the integrity of exported files before opening them in spreadsheet applications. The vulnerability demonstrates the importance of considering the full attack surface when processing user input, particularly in applications that generate files for external consumption in potentially vulnerable environments.