- Non-privileged access to the osTicket instance
- You simply need to have an account. Most instances allow anyone to create an account, as long as the email is valid and verified.
This CVE is actually VERY simple to exploit. All you need to do is change your account name to the CSV Injection payload, and the next time that an agent exports all users and opens the file, your payload will be run. For example, if your username was Test User, changing it by going to http://domain.com/profile.php and setting your username to =2+3 would do the trick. When an agent exports data and opens it up, the formula will be executed and they would see 5.
Based on description found in Exploit-DB, "osTicket 1.12 - Formula Injection", located here by AISHWARYA IYER.