H3-2025-0064¶

osTicket Self-Signup Enabled

Description¶

The osTicket server is running with a default configuration that permits anyone to create accounts.

Impact¶

Unauthenticated users can create accounts and open tickets, providing the opportunity to exploit potential vulnerabilities such as XSS, SSRF, or LFI.

References¶

• osTicket Admin Panel: User Settings
• MITRE ATT&CK Technique: T1136: Create Account