2026-9507 Session Fixation in osTicket v1.18.2

Original release date: June, 2025
Last revised: 
Discovered by: Mario Valiente Catalán
Severity: 5.1/10 (CVSS v4.0 Base Score)
Vector: CVSS:4.0/AV: N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

BACKGROUND

osTicket by Enhancesoft, a free and open‑source technical support ticket management system.

DESCRIPTION

A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login.

The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated

PROOF OF CONCEPT

As we can see the initial cookie OSTSESSID with the value of POC-COOKIE is a Guest User context cookie, i.e. not authenticated.

osTicket-sign-in.png

We access the login panel:

osTicket-login-panel.png

And we log in. As we can see in the server response, it does not set us any new cookie configured to the authenticated context.

osTicket-new-cookie-configured.png

Finally, we can see that we have been correctly logged in with the user benjugat and the cookie has not been modified or changed by a new one, and it keeps the initial cookie POC-COOKIE. The server has changed it from unauthenticated to authenticated context.

osTicket-cookie-not-been-modified.png

BUSINESS IMPACT

This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login.

SYSTEMS AFFECTED

osTicket v1.18.2.

SOLUTION

The current (legacy) source code is in maintenance mode, while Enhancesoft is focusing on a complete rewrite of the code (v2.0). This means that release cycles and security updates for the legacy code have been significantly delayed.

REVISION HISTORY

-

DISCLOSURE TIMELINE

  • June 2025: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
  • June 05, 2025: Sent to osTicket.
  • June 16, 2026: New release and disclosure.

REFERENCES

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.