CVE-2025-45387 is a medium severity vulnerability affecting osTicket versions prior to v1.17.6 and v1.18.2. The vulnerability is classified as a Broken Access Control issue located in the /scp/ajax.php endpoint. Broken Access Control vulnerabilities occur when an application does not properly enforce restrictions on authenticated users, allowing them to access resources or perform actions beyond their authorized privileges. In this case, the vulnerability requires the attacker to have some level of privileges (PR:L - Privileges Required: Low) and user interaction (UI:R - User Interaction Required). The attack vector is network-based (AV:N), meaning the vulnerability can be exploited remotely over the network. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component, potentially impacting other parts of the system. The impact includes low confidentiality and integrity impacts (C:L/I:L) with no impact on availability (A:N). The vulnerability is associated with CWE-79, which typically relates to Cross-Site Scripting (XSS), suggesting that the broken access control may enable injection or manipulation of scripts or data via the ajax.php interface. No known exploits are reported in the wild as of the publication date (2025-06-02). The lack of vendor or product-specific details limits the granularity of the analysis, but the affected software is osTicket, a widely used open-source support ticket system. The vulnerability likely allows an authenticated user with low privileges to perform unauthorized actions or access data through the ajax.php endpoint, potentially leading to information disclosure or unauthorized modifications within the ticketing system.

For European organizations using osTicket for customer support or internal ticket management, this vulnerability poses a risk of unauthorized access or modification of sensitive support tickets or user data. Given that the vulnerability requires low privileges and user interaction, malicious insiders or compromised low-level accounts could exploit this flaw to escalate privileges or access restricted information. This could lead to data leakage of customer information, internal communications, or operational details, impacting confidentiality and integrity. While availability is not affected, the trustworthiness and security of the support system could be undermined, potentially causing reputational damage and compliance issues, especially under GDPR regulations that mandate protection of personal data. Organizations in sectors with high customer interaction, such as finance, healthcare, and public services, may face increased risks if attackers leverage this vulnerability to access sensitive support tickets or manipulate support workflows.

European organizations should prioritize upgrading osTicket installations to versions 1.17.6 or 1.18.2 or later, where this vulnerability is patched. In the absence of immediate patching, organizations should implement strict access controls and monitor user activities on the /scp/ajax.php endpoint to detect anomalous behavior. Limiting the number of users with low-level privileges and enforcing strong authentication mechanisms can reduce the risk of exploitation. Additionally, applying web application firewalls (WAFs) with rules targeting suspicious AJAX requests may help mitigate exploitation attempts. Regular security audits and code reviews of customizations to osTicket should be conducted to ensure no additional access control weaknesses exist. Logging and alerting on unusual access patterns to the support portal can facilitate early detection of exploitation attempts. Finally, educating users about the risks of social engineering and ensuring minimal user interaction is required for sensitive operations can further reduce exposure.