This CVE can only be exploited when initially setting up the osTicket instance. The stored XSS occurs when the admin user is first created with a malicious payload (like <img src=x onerror=alert(1)>) in their firstname or lastname fields. Since this requires a brand-new osTicket instance with no setup, and the resulting user will be the admin anyways, there's no point in exploiting this CVE so I won't provide a relevant PoC.
Based on description found in Exploit-DB, "osTicket 1.12 - Persistent Cross-Site Scripting", located here by AISHWARYA IYER.