osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem.
Metrics
Affected Vendors & Products
References
History
Fri, 17 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 17 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem. | |
| Title | osTicket v1.18.3 - v1.17.7 - BOLA/IDOR in ticket field viewing allows cross-department data disclosure | |
| First Time appeared |
Osticket
Osticket osticket |
|
| Weaknesses | CWE-863 | |
| CPEs | cpe:2.3:a:osticket:osticket:v1.17.7:*:linux:*:*:*:*:* cpe:2.3:a:osticket:osticket:v1.17.7:*:macos:*:*:*:*:* cpe:2.3:a:osticket:osticket:v1.17.7:*:windows:*:*:*:*:* cpe:2.3:a:osticket:osticket:v1.18.3:*:linux:*:*:*:*:* cpe:2.3:a:osticket:osticket:v1.18.3:*:macos:*:*:*:*:* cpe:2.3:a:osticket:osticket:v1.18.3:*:windows:*:*:*:*:* |
|
| Vendors & Products |
Osticket
Osticket osticket |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: Fluid Attacks
Published:
Updated: 2026-07-17T15:28:21.159Z
Reserved: 2026-07-06T14:11:41.135Z
Link: CVE-2026-14871
Updated: 2026-07-17T15:28:15.628Z
No data.
No data.
OpenCVE Enrichment
No data.