CVE-2023-30082

CVSS 7.5 HIGHEPSS 1.0%CWE-1284

In short

The osTicket application crashes when someone submits an extremely long password (over 10 million characters), causing the website to stop working. The server wastes all its computing power trying to process this unusually large input.

Technical detail

A denial of service vulnerability exists in osTicket where supplying a password exceeding 10,000,000 characters causes excessive CPU and memory consumption, leading to service unavailability. The attack vector is unauthenticated and requires only submission of a maliciously crafted password during login or registration, with no special preconditions beyond network access to the application.

Summary generated and translated by AI from the official description.

A denial of service attack might be launched against the server if an unusually lengthy password (more than 10000000 characters) is supplied using the osTicket application. This can cause the website to go down or stop responding. When a long password is entered, this procedure will consume all available CPU and memory.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://blog.manavparekh.com/2023/06/cve-2023-30082.html https://github.com/manavparekh/CVEs/blob/main/CVE-2023-30082/Steps%20to%20reproduce.txt