By mistake, when I entered the page to check the status of a ticket (view.php) in the email field I added my email and in the Ticket Number field I put the password, when reloading the page I had logged in with the user account.
It is a failure record, you can verify it.
When you log in with a username and password it should in fact log you in.
How is that a "security issue"?
How can I pass a video by private and data for you to try. With the problem, so you can replicate.
What you sent gives me an error and enters the page.
https://share.vidyard.com/watch/aTzADMMqZoLwYEsBGjRta7?
I leave you the pre-production of the problem
I am not able to replicate this using the latest stable version of v1.15.3.1. You are also using what appears to be a heavily customized version of osTicket. I'd highly suggesting making a vanilla install and retesting. If you can replicate this with a vanilla install then follow the security guidelines below:
Cheers.
