Headline
CVE-2023-1318: xss: AJAX Paths · osTicket/osTicket@343a2b4
Cross-site Scripting (XSS) - Generic in GitHub repository osticket/osticket prior to v1.16.6.
@@ -366,10 +366,10 @@ function get_db_input($index, $vars, $quote=true) {
static function get_path_info() {
if(isset($_SERVER[‘PATH_INFO’]))
return $_SERVER[‘PATH_INFO’];
return htmlentities($_SERVER[‘PATH_INFO’]);
if(isset($_SERVER[‘ORIG_PATH_INFO’]))
return $_SERVER[‘ORIG_PATH_INFO’];
return htmlentities($_SERVER[‘ORIG_PATH_INFO’]);
//TODO: conruct possible path info.