Headline
CVE-2023-1315: xss: Search parent_id · osTicket/osTicket@ec60439
Cross-site Scripting (XSS) - Reflected in GitHub repository osticket/osticket prior to v1.16.6.
@@ -31,7 +31,7 @@ function getAdvancedSearchDialog($key=false, $context=’advsearch’) {
$search = new AdhocSearch(array(
‘root’ => 'T’,
‘staff_id’ => $thisstaff->getId(),
‘parent_id’ => @$_GET[‘parent_id’] ?: 0,
‘parent_id’ => (int) @$_GET[‘parent_id’] ?: 0,
));
if ($search->parent_id) {
$search->flags |= SavedSearch::FLAG_INHERIT_COLUMNS;
@@ -168,7 +168,7 @@ function createSearch() {
‘title’ => __(‘Add Queue’),
‘root’ => 'T’,
‘staff_id’ => $thisstaff->getId(),
‘parent_id’ => $_GET[‘pid’],
‘parent_id’ => (int) $_GET[‘pid’],
));
$this->_tryAgain($search);
}