- Privileged access to the osTicket instance
- This requires an account with agent status, not a guest or regular account.
Cross-Site Scripting is achieved by putting a malicious payload inside of the internal notes when banning a user at http://domain.com/scp/banlist.php. This requires that you already have an agent account, and can only target other agents since normal users are not authorized to see this page. To reproduce, head to the /scp/banlist.php page and either select a pre-existing banned user or ban a user. In the internal notes, paste a generic XSS payload such as <img src="x" onerror="alert('XSS')"> and save. This will bring you back to the main page; if you put your cursor over the email of the banned account, you can copy and send that malicious link to other agents, who will trigger the payload upon opening.
Based on description found in the CVE and GitHub commit, found by heinhtetaung.