Upgrade to 1.15.2 vulnerability scan

jorisv

Today i upgraded my osTicket 1.14.1 installation to 1.15.2 to fix some vulnerabilities found by Greenbone security manager. After the upgrade i ran a new vulnerability scan. All the previous vulnerabilities got fixed but a new one showed up in the report with high severity. Could this be a false alert or is this real?

Summary
Dragan Mitic Apoll is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Detection Result
Vulnerable URL: https://xxx/account/admin/login.php

Details:
Dragan Mitic Apoll 'admin/index.php' SQL Injection Vulnerability OID: 1.3.6.1.4.1.25623.1.0.100022
Version used:
2020-08-24T15:18:35Z
Affected Software/OS
Dragan Mitic Apoll 0.7 is vulnerable. Other versions may also be affected.

CVE-2008-6270
CVE-2008-6272

KevinTheJedi

@jorisv

It's more than likely a false alarm. The scanner probably see something reflected in the response and triggers a false alarm (we get a ton of false alarms from people running scanners). If you have reproducible evidence against this however please submit it to security[at]osticket[dot]com.

Cheers.