Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Protocol/SmtpPluginManager.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Protocol/SmtpPluginManager.php@@ -1,27 +1,35 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail\Protocol; use Laminas\ServiceManager\AbstractPluginManager;+use Laminas\ServiceManager\ConfigInterface; use Laminas\ServiceManager\Exception\InvalidServiceException; use Laminas\ServiceManager\Factory\InvokableFactory;++use function gettype;+use function is_object;+use function sprintf; /** * Plugin manager implementation for SMTP extensions. * * Enforces that SMTP extensions retrieved are instances of Smtp. Additionally, * it registers a number of default extensions available.+ *+ * @link ConfigInterface+ *+ * @psalm-import-type FactoriesConfigurationType from ConfigInterface+ *+ * @extends AbstractPluginManager<Smtp>+ * @final */ class SmtpPluginManager extends AbstractPluginManager { /** * Service aliases+ *+ * @var array<array-key, class-string> */ protected $aliases = [ 'crammd5' => Smtp\Auth\Crammd5::class,@@ -33,62 +41,59 @@ 'Login' => Smtp\Auth\Login::class, 'plain' => Smtp\Auth\Plain::class, 'Plain' => Smtp\Auth\Plain::class,+ 'xoauth2' => Smtp\Auth\Xoauth2::class,+ 'Xoauth2' => Smtp\Auth\Xoauth2::class, 'smtp' => Smtp::class, 'Smtp' => Smtp::class, 'SMTP' => Smtp::class,- // Legacy Zend Framework aliases- \Zend\Mail\Protocol\Smtp\Auth\Crammd5::class => Smtp\Auth\Crammd5::class,- \Zend\Mail\Protocol\Smtp\Auth\Login::class => Smtp\Auth\Login::class,- \Zend\Mail\Protocol\Smtp\Auth\Plain::class => Smtp\Auth\Plain::class,- \Zend\Mail\Protocol\Smtp::class => Smtp::class,-+ 'Zend\Mail\Protocol\Smtp\Auth\Crammd5' => Smtp\Auth\Crammd5::class,+ 'Zend\Mail\Protocol\Smtp\Auth\Login' => Smtp\Auth\Login::class,+ 'Zend\Mail\Protocol\Smtp\Auth\Plain' => Smtp\Auth\Plain::class,+ 'Zend\Mail\Protocol\Smtp' => Smtp::class, // v2 normalized FQCNs- 'zendmailprotocolsmtpauthcrammd5' => Smtp\Auth\Crammd5::class,- 'zendmailprotocolsmtpauthlogin' => Smtp\Auth\Login::class,- 'zendmailprotocolsmtpauthplain' => Smtp\Auth\Plain::class,- 'zendmailprotocolsmtp' => Smtp::class,+ 'zendmailprotocolsmtpauthcrammd5' => Smtp\Auth\Crammd5::class,+ 'zendmailprotocolsmtpauthlogin' => Smtp\Auth\Login::class,+ 'zendmailprotocolsmtpauthplain' => Smtp\Auth\Plain::class,+ 'zendmailprotocolsmtp' => Smtp::class,+ 'laminasmailprotocolsmtpauthcrammd5' => Smtp\Auth\Crammd5::class,+ 'laminasmailprotocolsmtpauthlogin' => Smtp\Auth\Login::class,+ 'laminasmailprotocolsmtpauthplain' => Smtp\Auth\Plain::class,+ 'laminasmailprotocolsmtp' => Smtp::class, ]; /** * Service factories *- * @var array+ * @var FactoriesConfigurationType */ protected $factories = [ Smtp\Auth\Crammd5::class => InvokableFactory::class, Smtp\Auth\Login::class => InvokableFactory::class, Smtp\Auth\Plain::class => InvokableFactory::class,+ Smtp\Auth\Xoauth2::class => InvokableFactory::class, Smtp::class => InvokableFactory::class,-- // v2 normalized service names-- 'laminasmailprotocolsmtpauthcrammd5' => InvokableFactory::class,- 'laminasmailprotocolsmtpauthlogin' => InvokableFactory::class,- 'laminasmailprotocolsmtpauthplain' => InvokableFactory::class,- 'laminasmailprotocolsmtp' => InvokableFactory::class, ]; /** * Plugins must be an instance of the Smtp class *- * @var string+ * @var class-string<Smtp> */ protected $instanceOf = Smtp::class; /** * Validate a retrieved plugin instance (v3). *- * @param object $plugin- * @throws InvalidServiceException+ * {@inheritDoc} */- public function validate($plugin)+ public function validate(mixed $instance) {- if (! $plugin instanceof $this->instanceOf) {+ if (! $instance instanceof $this->instanceOf) { throw new InvalidServiceException(sprintf( 'Plugin of type %s is invalid; must extend %s',- (is_object($plugin) ? get_class($plugin) : gettype($plugin)),- Smtp::class+ is_object($instance) ? $instance::class : gettype($instance),+ $this->instanceOf )); } }@@ -96,10 +101,12 @@ /** * Validate a retrieved plugin instance (v2). *+ * @deprecated+ * * @param object $plugin * @throws Exception\InvalidArgumentException */- public function validatePlugin($plugin)+ public function validatePlugin(mixed $plugin) { try { $this->validate($plugin);
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Type Safety Issue] [include/laminas-mail/src/Protocol/SmtpPluginManager.php] [Lines: 84-98]
[Old Code]
```php
public function validate($plugin)
{
if (! $plugin instanceof $this->instanceOf) {
throw new InvalidServiceException(sprintf(
'Plugin of type %s is invalid; must extend %s',
(is_object($plugin) ? get_class($plugin) : gettype($plugin)),
Smtp::class
));
}
}
```
[Fixed Code]
```php
public function validate(mixed $instance)
{
if (! $instance instanceof $this->instanceOf) {
throw new InvalidServiceException(sprintf(
'Plugin of type %s is invalid; must extend %s',
is_object($instance) ? $instance::class : gettype($instance),
$this->instanceOf
));
}
}
```
Additional Details: The change adds type safety by using `mixed` type hint and improves error message consistency, but it's unclear if this was fixing an actual security vulnerability or just improving code quality.
2. Vulnerability Existed: not sure
[Potential Authentication Bypass] [include/laminas-mail/src/Protocol/SmtpPluginManager.php] [Lines: 33-34, 70]
[Old Code]
(No Xoauth2 authentication method in aliases or factories)
[Fixed Code]
```php
'xoauth2' => Smtp\Auth\Xoauth2::class,
'Xoauth2' => Smtp\Auth\Xoauth2::class,
...
Smtp\Auth\Xoauth2::class => InvokableFactory::class,
```
Additional Details: The addition of Xoauth2 authentication support could be related to security improvements, but there's no clear evidence this was fixing a vulnerability rather than just adding new functionality.
Note: The diff shows several other changes (documentation improvements, type hints, code organization), but none appear to be clearly security-related fixes. The main changes are:
1. Improved type safety in validation
2. Added Xoauth2 authentication support
3. Documentation and code quality improvements
4. Updated legacy class name handling
Without more context about specific vulnerabilities being addressed, it's difficult to definitively identify security fixes in this diff.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/class.search.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/class.search.php@@ -371,8 +371,11 @@ #elseif (count(explode(' ', $query)) == 1) # $mode = ' WITH QUERY EXPANSION';- // Strip colon (:num) to avoid possible params injection- $query = preg_replace('/:(\d+)/i', '$1', $query);+ // Sanitize query to avoid possible SQL injection via parameter markers+ // This regex matches one or more colons followed by one or more digits,+ // and then replaces the match with only the digits (i.e. stripping the colon(s)).+ $query = preg_replace('/:+(\d+)/', '$1', $query);+ // escape query and using it as search $search = 'MATCH (Z1.title, Z1.content) AGAINST ('.db_input($query).$mode.')';@@ -471,7 +474,7 @@ * not indexed in the _search table and add it to the index. */ function IndexOldStuff() {- $class = get_class();+ $class = get_class($this); $auto_create = function($db_error) use ($class) { if ($db_error != 1146)@@ -905,7 +908,10 @@ $query = $this->getQuery(); if ($agent) $query = $agent->applyVisibility($query);- $query->limit(false)->offset(false)->order_by(false);+ $query->filter(Q::any([+ 'ticket_pid__isnull' => true,+ 'flags__hasbit' => Ticket::FLAG_LINKED+ ]))->limit(false)->offset(false)->order_by(false); try { return $query->count(); } catch (Exception $e) {
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
SQL Injection via Parameter Markers [include/class.search.php] [Lines 371-374]
[Old Code]
$query = preg_replace('/:(\d+)/i', '$1', $query);
[Fixed Code]
$query = preg_replace('/:+(\d+)/', '$1', $query);
2. Vulnerability Existed: not sure
Potential Class Reference Vulnerability [include/class.search.php] [Lines 471-474]
[Old Code]
$class = get_class();
[Fixed Code]
$class = get_class($this);
3. Vulnerability Existed: not sure
Potential Data Visibility Issue [include/class.search.php] [Lines 905-908]
[Old Code]
$query->limit(false)->offset(false)->order_by(false);
[Fixed Code]
$query->filter(Q::any([
'ticket_pid__isnull' => true,
'flags__hasbit' => Ticket::FLAG_LINKED
]))->limit(false)->offset(false)->order_by(false);
Additional details:
1. The first fix addresses a potential SQL injection vulnerability by improving the regex pattern to handle multiple colons before digits in parameter markers.
2. The second change might be related to proper object-oriented practices rather than a direct security vulnerability.
3. The third change adds filtering conditions which might be related to data visibility/access control, but without more context it's hard to determine if this was fixing a security issue.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Code39.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Code39.php@@ -1,25 +1,56 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator\Barcode;+use function str_split;+use function substr;+ class Code39 extends AbstractAdapter {- /**- * @var array- */+ /** @var array */ protected $check = [- '0' => 0, '1' => 1, '2' => 2, '3' => 3, '4' => 4, '5' => 5, '6' => 6,- '7' => 7, '8' => 8, '9' => 9, 'A' => 10, 'B' => 11, 'C' => 12, 'D' => 13,- 'E' => 14, 'F' => 15, 'G' => 16, 'H' => 17, 'I' => 18, 'J' => 19, 'K' => 20,- 'L' => 21, 'M' => 22, 'N' => 23, 'O' => 24, 'P' => 25, 'Q' => 26, 'R' => 27,- 'S' => 28, 'T' => 29, 'U' => 30, 'V' => 31, 'W' => 32, 'X' => 33, 'Y' => 34,- 'Z' => 35, '-' => 36, '.' => 37, ' ' => 38, '$' => 39, '/' => 40, '+' => 41,+ '0' => 0,+ '1' => 1,+ '2' => 2,+ '3' => 3,+ '4' => 4,+ '5' => 5,+ '6' => 6,+ '7' => 7,+ '8' => 8,+ '9' => 9,+ 'A' => 10,+ 'B' => 11,+ 'C' => 12,+ 'D' => 13,+ 'E' => 14,+ 'F' => 15,+ 'G' => 16,+ 'H' => 17,+ 'I' => 18,+ 'J' => 19,+ 'K' => 20,+ 'L' => 21,+ 'M' => 22,+ 'N' => 23,+ 'O' => 24,+ 'P' => 25,+ 'Q' => 26,+ 'R' => 27,+ 'S' => 28,+ 'T' => 29,+ 'U' => 30,+ 'V' => 31,+ 'W' => 32,+ 'X' => 33,+ 'Y' => 34,+ 'Z' => 35,+ '-' => 36,+ '.' => 37,+ ' ' => 38,+ '$' => 39,+ '/' => 40,+ '+' => 41, '%' => 42, ];@@ -50,7 +81,7 @@ } $mod = $count % 43;- if ($mod == $this->check[$checksum]) {+ if ($mod === $this->check[$checksum]) { return true; }
After analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily code formatting improvements and a minor logic change in the comparison operator. Here's my analysis: 1. Vulnerability Existed: no Code Formatting Improvements [include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Code39.php] [Lines 1-56] Old Code: Compact array definition and docblock Fixed Code: Expanded array formatting and removed docblock 2. Vulnerability Existed: no Comparison Operator Change [include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Code39.php] [Line 81] Old Code: `if ($mod == $this->check[$checksum])` Fixed Code: `if ($mod === $this->check[$checksum])` The change from `==` to `===` is a best practice improvement for type safety, but doesn't represent a security fix since the values being compared are both integers from the same array mapping. The other changes are purely cosmetic formatting improvements. No security vulnerabilities were identified in this diff. The changes appear to be code quality improvements rather than security fixes.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Uri.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Uri.php@@ -1,10 +1,4 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator;@@ -13,32 +7,34 @@ use Laminas\Validator\Exception\InvalidArgumentException; use Traversable;+use function array_shift;+use function assert;+use function class_exists;+use function func_get_args;+use function is_a;+use function is_array;+use function is_string;+use function iterator_to_array;+use function sprintf;+ class Uri extends AbstractValidator {- const INVALID = 'uriInvalid';- const NOT_URI = 'notUri';+ public const INVALID = 'uriInvalid';+ public const NOT_URI = 'notUri';- /**- * @var array- */+ /** @var array<string, string> */ protected $messageTemplates = [ self::INVALID => 'Invalid type given. String expected', self::NOT_URI => 'The input does not appear to be a valid Uri', ];- /**- * @var UriHandler- */+ /** @var UriHandler|null|class-string<UriHandler> */ protected $uriHandler;- /**- * @var bool- */+ /** @var bool */ protected $allowRelative = true;- /**- * @var bool- */+ /** @var bool */ protected $allowAbsolute = true; /**@@ -51,7 +47,7 @@ if ($options instanceof Traversable) { $options = iterator_to_array($options); } elseif (! is_array($options)) {- $options = func_get_args();+ $options = func_get_args(); $temp['uriHandler'] = array_shift($options); if (! empty($options)) { $temp['allowRelative'] = array_shift($options);@@ -87,13 +83,15 @@ $this->uriHandler = new UriHandler(); } elseif (is_string($this->uriHandler) && class_exists($this->uriHandler)) { // Instantiate string Uri handler that references a class- $this->uriHandler = new $this->uriHandler;+ $this->uriHandler = new $this->uriHandler(); }+ assert($this->uriHandler !== null && ! is_string($this->uriHandler));+ return $this->uriHandler; } /**- * @param UriHandler|string $uriHandler+ * @param UriHandler|class-string<UriHandler> $uriHandler * @throws InvalidArgumentException * @return $this */@@ -172,14 +170,15 @@ $uriHandler->parse($value); if ($uriHandler->isValid()) { // It will either be a valid absolute or relative URI- if (($this->allowRelative && $this->allowAbsolute)+ if (+ ($this->allowRelative && $this->allowAbsolute) || ($this->allowAbsolute && $uriHandler->isAbsolute()) || ($this->allowRelative && $uriHandler->isValidRelative()) ) { return true; } }- } catch (UriException $ex) {+ } catch (UriException) { // Error parsing URI, it must be invalid }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Class Instantiation Vulnerability] [include/laminas-mail/vendor/laminas/laminas-validator/src/Uri.php] [Lines around 83-85]
[Old Code]
`$this->uriHandler = new $this->uriHandler;`
[Fixed Code]
`$this->uriHandler = new $this->uriHandler();`
Additional Details: The change from dynamic class instantiation without parentheses to using parentheses could be related to preventing potential instantiation issues, though it's not clearly a security fix.
2. Vulnerability Existed: not sure
[Potential Type Safety Issue] [include/laminas-mail/vendor/laminas/laminas-validator/src/Uri.php] [Lines around 85]
[Old Code]
(No explicit type checking before instantiation)
[Fixed Code]
`assert($this->uriHandler !== null && ! is_string($this->uriHandler));`
Additional Details: The added assertion helps ensure type safety, which could prevent certain types of runtime errors, but it's not clearly fixing a known vulnerability.
3. Vulnerability Existed: not sure
[Error Handling Improvement] [include/laminas-mail/vendor/laminas/laminas-validator/src/Uri.php] [Lines around 181]
[Old Code]
`} catch (UriException $ex) {`
[Fixed Code]
`} catch (UriException) {`
Additional Details: The change to omit unused exception variable could be related to security through obscurity by not exposing exception details, but this is speculative.
Note: The diff shows several code quality improvements (type hints, constant visibility changes, etc.) but no clear security vulnerabilities being fixed. The changes appear to be more about code modernization and robustness than specific security fixes.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Header/Date.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Header/Date.php@@ -1,38 +1,37 @@ <?php-/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */+namespace Laminas\Mail\Header;-namespace Laminas\Mail\Header;+use function strtolower; /** * @todo Add accessors for setting date from DateTime, Laminas\Date, or a string */ class Date implements HeaderInterface {- /**- * @var string- */+ /** @var string */ protected $value;+ /**+ * @param string $headerLine+ * @return static+ */ public static function fromString($headerLine) {- list($name, $value) = GenericHeader::splitHeaderLine($headerLine);- $value = HeaderWrap::mimeDecodeValue($value);+ [$name, $value] = GenericHeader::splitHeaderLine($headerLine);+ $value = HeaderWrap::mimeDecodeValue($value); // check to ensure proper header type for this factory if (strtolower($name) !== 'date') { throw new Exception\InvalidArgumentException('Invalid header line for Date string'); }- $header = new static($value);-- return $header;+ return new static($value); }+ /**+ * @param string $value+ */ public function __construct($value) { if (! HeaderValue::isValid($value)) {@@ -41,27 +40,43 @@ $this->value = $value; }+ /**+ * @return string+ */ public function getFieldName() { return 'Date'; }+ /**+ * @inheritDoc+ */ public function getFieldValue($format = HeaderInterface::FORMAT_RAW) { return $this->value; }+ /**+ * @param string $encoding+ * @return self+ */ public function setEncoding($encoding) { // This header must be always in US-ASCII return $this; }+ /**+ * @return string+ */ public function getEncoding() { return 'ASCII'; }+ /**+ * @return string+ */ public function toString() { return 'Date: ' . $this->getFieldValue();
After analyzing the provided code diff, I don't see any clear security vulnerabilities that were fixed. The changes appear to be primarily code quality improvements and documentation enhancements rather than security fixes. Here's the analysis following your requested format: 1. Vulnerability Existed: no No clear security vulnerability [File] include/laminas-mail/src/Header/Date.php [Lines] 1-38 [Old Code] Various code and documentation [Fixed Code] Improved code structure and documentation The changes include: 1. Removal of redundant docblock comments 2. Adding proper type hints and return types 3. Simplifying the fromString() method 4. Adding more specific docblocks 5. Modernizing array syntax (from list() to []) 6. Adding import for strtolower function These are all code quality improvements rather than security fixes. The header validation that was present in the old code (checking HeaderValue::isValid) remains unchanged in the new version. No specific vulnerabilities like XSS, injection, or other common security issues were addressed in this diff. The Date header handling appears to be secure in both versions, with proper validation of header values.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Transport/Exception/ExceptionInterface.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Transport/Exception/ExceptionInterface.php@@ -1,10 +1,4 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail\Transport\Exception;
Based on the provided code diff, here's the analysis: Vulnerability Existed: no [No security vulnerability found] [include/laminas-mail/src/Transport/Exception/ExceptionInterface.php] [Lines 1-10] [Old Code] <?php /** * @see https://github.com/laminas/laminas-mail for the canonical source repository * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License */ namespace Laminas\Mail\Transport\Exception; [Fixed Code] <?php namespace Laminas\Mail\Transport\Exception; The changes only involve removing documentation comments (license and copyright information) and don't affect any security-related functionality. This appears to be a documentation cleanup rather than a security fix.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Sitemap/Loc.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Sitemap/Loc.php@@ -1,31 +1,25 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator\Sitemap; use Laminas\Uri; use Laminas\Validator\AbstractValidator;+use function is_string;+ /** * Validates whether a given value is valid as a sitemap <loc> value * * @link http://www.sitemaps.org/protocol.php Sitemaps XML format- * * @see Laminas\Uri\Uri */ class Loc extends AbstractValidator { /** * Validation key for not valid- * */- const NOT_VALID = 'sitemapLocNotValid';- const INVALID = 'sitemapLocInvalid';+ public const NOT_VALID = 'sitemapLocNotValid';+ public const INVALID = 'sitemapLocInvalid'; /** * Validation failure message template definitions
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Information Disclosure] [include/laminas-mail/vendor/laminas/laminas-validator/src/Sitemap/Loc.php] [Lines 1-5]
[Old Code]
/**
* @see https://github.com/laminas/laminas-validator for the canonical source repository
* @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md
* @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License
*/
[Fixed Code]
[Removed]
Additional Details:
- The removal of the file header comments doesn't appear to be a security fix but rather a cleanup. There's no clear vulnerability being addressed here.
2. Vulnerability Existed: not sure
[Constant Visibility Change] [include/laminas-mail/vendor/laminas/laminas-validator/src/Sitemap/Loc.php] [Lines 18-19]
[Old Code]
const NOT_VALID = 'sitemapLocNotValid';
const INVALID = 'sitemapLocInvalid';
[Fixed Code]
public const NOT_VALID = 'sitemapLocNotValid';
public const INVALID = 'sitemapLocInvalid';
Additional Details:
- The change from implicit to explicit public visibility for constants is a PHP best practice change (PHP 7.1+ feature), but doesn't appear to be security-related.
Note: The diff shows mostly code style and documentation changes rather than security fixes. The most significant change is the addition of `use function is_string`, but this appears to be a code quality improvement rather than a security fix. No clear security vulnerabilities are being addressed in this diff.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Storage/Folder/Mbox.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Storage/Folder/Mbox.php@@ -1,33 +1,46 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail\Storage\Folder; use Laminas\Mail\Storage; use Laminas\Mail\Storage\Exception;+use Laminas\Mail\Storage\ParamsNormalizer; use Laminas\Stdlib\ErrorHandler;++use function array_merge;+use function closedir;+use function explode;+use function is_dir;+use function is_file;+use function opendir;+use function readdir;+use function rtrim;+use function sprintf;+use function str_contains;+use function trim;++use const DIRECTORY_SEPARATOR;+use const E_WARNING; class Mbox extends Storage\Mbox implements FolderInterface { /** * Storage\Folder root folder for folder structure+ * * @var Storage\Folder */ protected $rootFolder; /** * rootdir of folder structure+ * * @var string */ protected $rootdir; /** * name of current folder+ * * @var string */ protected $currentFolder;@@ -43,27 +56,33 @@ * - dirname rootdir of mbox structure * - folder initial selected folder, default is 'INBOX' *- * @param $params array mail reader specific parameters+ * @param array|object $params Array, iterable object, or stdClass object+ * with reader specific parameters * @throws Exception\InvalidArgumentException */ public function __construct($params) {- if (is_array($params)) {- $params = (object) $params;- }-- if (isset($params->filename)) {- throw new Exception\InvalidArgumentException('use \Laminas\Mail\Storage\Mbox for a single file');- }-- if (! isset($params->dirname) || ! is_dir($params->dirname)) {- throw new Exception\InvalidArgumentException('no valid dirname given in params');- }-- $this->rootdir = rtrim($params->dirname, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR;+ $params = ParamsNormalizer::normalizeParams($params);++ if (isset($params['filename'])) {+ throw new Exception\InvalidArgumentException(sprintf('use %s for a single file', Storage\Mbox::class));+ }++ if (! isset($params['dirname'])) {+ throw new Exception\InvalidArgumentException('no dirname provided in params');+ }++ $dirname = (string) $params['dirname'];++ if (! is_dir($dirname)) {+ throw new Exception\InvalidArgumentException('$dirname provided in params is not a directory');+ }++ $this->rootdir = rtrim($dirname, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR;+ $folder = $params['folder'] ?? 'INBOX'; $this->buildFolderTree($this->rootdir);- $this->selectFolder(! empty($params->folder) ? $params->folder : 'INBOX');+ $this->selectFolder((string) $folder); $this->has['top'] = true; $this->has['uniqueid'] = false; }@@ -83,7 +102,7 @@ { if (! $parentFolder) { $this->rootFolder = new Storage\Folder('/', '/', false);- $parentFolder = $this->rootFolder;+ $parentFolder = $this->rootFolder; } ErrorHandler::start(E_WARNING);@@ -98,15 +117,15 @@ continue; } $absoluteEntry = $currentDir . $entry;- $globalName = $parentGlobalName . DIRECTORY_SEPARATOR . $entry;+ $globalName = $parentGlobalName . DIRECTORY_SEPARATOR . $entry; if (is_file($absoluteEntry) && $this->isMboxFile($absoluteEntry)) { $parentFolder->$entry = new Storage\Folder($entry, $globalName); continue; }- if (! is_dir($absoluteEntry) /* || $entry == '.' || $entry == '..' */) {+ if (! is_dir($absoluteEntry)) { /* || $entry == '.' || $entry == '..' */ continue; }- $folder = new Storage\Folder($entry, $globalName, false);+ $folder = new Storage\Folder($entry, $globalName, false); $parentFolder->$entry = $folder; $this->buildFolderTree($absoluteEntry . DIRECTORY_SEPARATOR, $folder, $globalName); }@@ -128,12 +147,17 @@ } $currentFolder = $this->rootFolder;- $subname = trim($rootFolder, DIRECTORY_SEPARATOR);+ $subname = trim($rootFolder, DIRECTORY_SEPARATOR); while ($currentFolder) {- ErrorHandler::start(E_NOTICE);- list($entry, $subname) = explode(DIRECTORY_SEPARATOR, $subname, 2);- ErrorHandler::stop();+ if (str_contains($subname, DIRECTORY_SEPARATOR)) {+ [$entry, $subname] = explode(DIRECTORY_SEPARATOR, $subname, 2);+ } else {+ $entry = $subname;+ $subname = null;+ }+ $currentFolder = $currentFolder->$entry;+ if (! $subname) { break; }@@ -182,7 +206,7 @@ /** * get Storage\Folder instance for current folder *- * @return Storage\Folder instance of current folder+ * @return string instance of current folder * @throws Exception\ExceptionInterface */ public function getCurrentFolder()
Analyzing the provided code diff, here are the security-related findings:
1. Vulnerability Existed: not sure
Directory Traversal Potential [File] include/laminas-mail/src/Storage/Folder/Mbox.php [Lines 43-79]
[Old Code]
```php
if (! isset($params->dirname) || ! is_dir($params->dirname)) {
throw new Exception\InvalidArgumentException('no valid dirname given in params');
}
$this->rootdir = rtrim($params->dirname, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR;
```
[Fixed Code]
```php
if (! isset($params['dirname'])) {
throw new Exception\InvalidArgumentException('no dirname provided in params');
}
$dirname = (string) $params['dirname'];
if (! is_dir($dirname)) {
throw new Exception\InvalidArgumentException('$dirname provided in params is not a directory');
}
$this->rootdir = rtrim($dirname, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR;
```
Additional Details: The fix improves parameter validation and type safety, but it's unclear if this was specifically addressing a security vulnerability or just improving robustness.
2. Vulnerability Existed: not sure
Path Traversal Potential [File] include/laminas-mail/src/Storage/Folder/Mbox.php [Lines 125-141]
[Old Code]
```php
ErrorHandler::start(E_NOTICE);
list($entry, $subname) = explode(DIRECTORY_SEPARATOR, $subname, 2);
ErrorHandler::stop();
```
[Fixed Code]
```php
if (str_contains($subname, DIRECTORY_SEPARATOR)) {
[$entry, $subname] = explode(DIRECTORY_SEPARATOR, $subname, 2);
} else {
$entry = $subname;
$subname = null;
}
```
Additional Details: The new code handles path parsing more carefully, but it's unclear if this was fixing a specific vulnerability or just improving error handling.
The changes primarily focus on:
1. Better parameter validation and normalization
2. More robust path handling
3. Improved error handling
4. Type safety improvements
While these changes improve the security posture of the code, I can't definitively say they were fixing specific known vulnerabilities rather than general code hardening. The changes appear to be defensive programming improvements that would help prevent potential directory traversal or path manipulation issues.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/webmozart/assert/composer.json+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/webmozart/assert/composer.json@@ -1,12 +1,12 @@ { "name": "webmozart/assert", "description": "Assertions to validate method input/output with nice error messages.",+ "license": "MIT", "keywords": [ "assert", "check", "validate" ],- "license": "MIT", "authors": [ { "name": "Bernhard Schussek",@@ -14,15 +14,15 @@ } ], "require": {- "php": "^5.3.3 || ^7.0",- "symfony/polyfill-ctype": "^1.8"+ "php": "^7.2 || ^8.0",+ "ext-ctype": "*" }, "require-dev": {- "phpunit/phpunit": "^4.8.36 || ^7.5.13"+ "phpunit/phpunit": "^8.5.13" }, "conflict": {- "vimeo/psalm": "<3.9.1",- "phpstan/phpstan": "<0.12.20"+ "phpstan/phpstan": "<0.12.20",+ "vimeo/psalm": "<4.6.1 || 4.6.2" }, "autoload": { "psr-4": {@@ -34,5 +34,10 @@ "Webmozart\\Assert\\Tests\\": "tests/", "Webmozart\\Assert\\Bin\\": "bin/src" }+ },+ "extra": {+ "branch-alias": {+ "dev-master": "1.10-dev"+ } } }
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: not sure [PHP Version Requirement Update] [include/laminas-mail/vendor/webmozart/assert/composer.json] [Lines 14] Old Code: `"php": "^5.3.3 || ^7.0",` Fixed Code: `"php": "^7.2 || ^8.0",` Note: This updates the PHP version requirement, potentially addressing security issues in older PHP versions, but no specific vulnerability is mentioned. 2. Vulnerability Existed: not sure [Dependency Change from polyfill to extension] [include/laminas-mail/vendor/webmozart/assert/composer.json] [Lines 15] Old Code: `"symfony/polyfill-ctype": "^1.8"` Fixed Code: `"ext-ctype": "*"` Note: Changes from using a polyfill to requiring the native PHP extension, which might be more secure but no specific vulnerability is mentioned. 3. Vulnerability Existed: not sure [Dependency Version Updates] [include/laminas-mail/vendor/webmozart/assert/composer.json] [Lines 18,20-21] Old Code: `"phpunit/phpunit": "^4.8.36 || ^7.5.13"` and conflict versions for psalm/phpstan Fixed Code: `"phpunit/phpunit": "^8.5.13"` and updated conflict versions Note: Updates dependency versions which might include security fixes, but no specific vulnerability is mentioned. No clear security vulnerabilities were identified in this diff, but several dependency-related changes were made that could potentially address undisclosed security issues. The changes appear to be primarily maintenance updates and modernization of requirements rather than direct security fixes.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Header/ContentTransferEncoding.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Header/ContentTransferEncoding.php@@ -1,18 +1,18 @@ <?php-/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */+namespace Laminas\Mail\Header;-namespace Laminas\Mail\Header;+use function implode;+use function in_array;+use function sprintf;+use function strtolower; class ContentTransferEncoding implements HeaderInterface { /** * Allowed Content-Transfer-Encoding parameters specified by RFC 1521 * (reduced set)+ * * @var array */ protected static $allowedTransferEncodings = [@@ -27,23 +27,28 @@ */ ];- /**- * @var string- */+ /** @var string */ protected $transferEncoding;- /**- * @var array- */+ /** @var array */ protected $parameters = [];+ /**+ * @param string $headerLine+ * @return static+ */ public static function fromString($headerLine) {- list($name, $value) = GenericHeader::splitHeaderLine($headerLine);- $value = HeaderWrap::mimeDecodeValue($value);+ [$name, $value] = GenericHeader::splitHeaderLine($headerLine);+ $value = HeaderWrap::mimeDecodeValue($value); // check to ensure proper header type for this factory- if (strtolower($name) !== 'content-transfer-encoding') {+ if (+ ! in_array(+ strtolower($name),+ ['contenttransferencoding', 'content_transfer_encoding', 'content-transfer-encoding']+ )+ ) { throw new Exception\InvalidArgumentException('Invalid header line for Content-Transfer-Encoding string'); }@@ -53,27 +58,43 @@ return $header; }+ /**+ * @return string+ */ public function getFieldName() { return 'Content-Transfer-Encoding'; }+ /**+ * @inheritDoc+ */ public function getFieldValue($format = HeaderInterface::FORMAT_RAW) { return $this->transferEncoding; }+ /**+ * @param string $encoding+ * @return self+ */ public function setEncoding($encoding) { // Header must be always in US-ASCII return $this; }+ /**+ * @return string+ */ public function getEncoding() { return 'ASCII'; }+ /**+ * @return string+ */ public function toString() { return 'Content-Transfer-Encoding: ' . $this->getFieldValue();@@ -93,7 +114,7 @@ if (! in_array($transferEncoding, static::$allowedTransferEncodings)) { throw new Exception\InvalidArgumentException(sprintf(- '%s expects one of "'. implode(', ', static::$allowedTransferEncodings) . '"; received "%s"',+ '%s expects one of "' . implode(', ', static::$allowedTransferEncodings) . '"; received "%s"', __METHOD__, (string) $transferEncoding ));
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Header Injection Vulnerability [include/laminas-mail/src/Header/ContentTransferEncoding.php] [Lines 39-46]
Old Code:
```php
if (strtolower($name) !== 'content-transfer-encoding') {
throw new Exception\InvalidArgumentException('Invalid header line for Content-Transfer-Encoding string');
}
```
Fixed Code:
```php
if (
! in_array(
strtolower($name),
['contenttransferencoding', 'content_transfer_encoding', 'content-transfer-encoding']
)
) {
throw new Exception\InvalidArgumentException('Invalid header line for Content-Transfer-Encoding string');
}
```
Additional Details:
- The fix adds more comprehensive header name validation by checking against multiple possible header name formats (different naming conventions). This prevents potential header injection attacks where an attacker might try to bypass validation by using alternative header name formats.
2. Vulnerability Existed: not sure
Potential String Formatting Vulnerability [include/laminas-mail/src/Header/ContentTransferEncoding.php] [Lines 114-118]
Old Code:
```php
throw new Exception\InvalidArgumentException(sprintf(
'%s expects one of "'. implode(', ', static::$allowedTransferEncodings) . '"; received "%s"',
__METHOD__,
(string) $transferEncoding
));
```
Fixed Code:
```php
throw new Exception\InvalidArgumentException(sprintf(
'%s expects one of "' . implode(', ', static::$allowedTransferEncodings) . '"; received "%s"',
__METHOD__,
(string) $transferEncoding
));
```
Additional Details:
- The change appears to be mostly formatting (adding spaces around concatenation operators), but there might be a security implication if the old version could potentially cause string parsing issues. However, this is uncertain as the functionality remains the same.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Bitwise.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Bitwise.php@@ -1,65 +1,60 @@-<?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */+<?php // phpcs:disable WebimpressCodingStandard.Formatting.Reference.UnexpectedSpace namespace Laminas\Validator; use Traversable;++use function array_shift;+use function func_get_args;+use function is_array;+use function iterator_to_array; class Bitwise extends AbstractValidator {- const OP_AND = 'and';- const OP_XOR = 'xor';-- const NOT_AND = 'notAnd';- const NOT_AND_STRICT = 'notAndStrict';- const NOT_XOR = 'notXor';-- /**- * @var integer- */+ public const OP_AND = 'and';+ public const OP_XOR = 'xor';++ public const NOT_AND = 'notAnd';+ public const NOT_AND_STRICT = 'notAndStrict';+ public const NOT_XOR = 'notXor';+ public const NO_OP = 'noOp';++ /** @var int */ protected $control; /** * Validation failure message template definitions *- * @var array+ * @var array<string, string> */ protected $messageTemplates = [ self::NOT_AND => "The input has no common bit set with '%control%'", self::NOT_AND_STRICT => "The input doesn't have the same bits set as '%control%'", self::NOT_XOR => "The input has common bit set with '%control%'",+ self::NO_OP => "No operator was present to compare '%control%' against", ]; /** * Additional variables available for validation failure messages *- * @var array+ * @var array<string, string> */ protected $messageVariables = [ 'control' => 'control', ];- /**- * @var integer- */+ /** @var null|int */ protected $operator;- /**- * @var boolean- */+ /** @var bool */ protected $strict = false; /** * Sets validator options * Accepts the following option keys:- * 'control' => integer+ * 'control' => int * 'operator' =>- * 'strict' => boolean+ * 'strict' => bool * * @param array|Traversable $options */@@ -101,7 +96,7 @@ /** * Returns the operator parameter. *- * @return string+ * @return null|int */ public function getOperator() {@@ -132,21 +127,38 @@ if (self::OP_AND === $this->operator) { if ($this->strict) { // All the bits set in value must be set in control- $this->error(self::NOT_AND_STRICT);-- return (bool) (($this->control & $value) == $value);- } else {- // At least one of the bits must be common between value and control+ $result = ($this->control & $value) === $value;++ if (! $result) {+ $this->error(self::NOT_AND_STRICT);+ }++ return $result;+ }++ // At least one of the bits must be common between value and control+ $result = (bool) ($this->control & $value);++ if (! $result) { $this->error(self::NOT_AND);-- return (bool) ($this->control & $value);- }- } elseif (self::OP_XOR === $this->operator) {- $this->error(self::NOT_XOR);-- return (bool) (($this->control ^ $value) === ($this->control | $value));- }-+ }++ return $result;+ }++ if (self::OP_XOR === $this->operator) {+ // Parentheses are required due to order of operations with bitwise operations+ // phpcs:ignore WebimpressCodingStandard.Formatting.RedundantParentheses.SingleEquality+ $result = ($this->control ^ $value) === ($this->control | $value);++ if (! $result) {+ $this->error(self::NOT_XOR);+ }++ return $result;+ }++ $this->error(self::NO_OP); return false; }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Logic Error/Improper Error Handling] [include/laminas-mail/vendor/laminas/laminas-validator/src/Bitwise.php] [Lines 127-138]
[Old Code]
```php
if ($this->strict) {
// All the bits set in value must be set in control
$this->error(self::NOT_AND_STRICT);
return (bool) (($this->control & $value) == $value);
} else {
// At least one of the bits must be common between value and control
$this->error(self::NOT_AND);
return (bool) ($this->control & $value);
}
```
[Fixed Code]
```php
if ($this->strict) {
// All the bits set in value must be set in control
$result = ($this->control & $value) === $value;
if (! $result) {
$this->error(self::NOT_AND_STRICT);
}
return $result;
}
```
Additional Details: The error reporting was moved after the actual check, which is better practice, but it's unclear if this was fixing a security issue or just improving code quality.
2. Vulnerability Existed: not sure
[Potential Missing Error Case Handling] [include/laminas-mail/vendor/laminas/laminas-validator/src/Bitwise.php] [Lines 127-160]
[Old Code]
```php
} elseif (self::OP_XOR === $this->operator) {
$this->error(self::NOT_XOR);
return (bool) (($this->control ^ $value) === ($this->control | $value));
}
```
[Fixed Code]
```php
if (self::OP_XOR === $this->operator) {
$result = ($this->control ^ $value) === ($this->control | $value);
if (! $result) {
$this->error(self::NOT_XOR);
}
return $result;
}
$this->error(self::NO_OP);
return false;
```
Additional Details: The new code adds handling for cases where no operator is specified (NO_OP) and improves error reporting timing. While this improves robustness, it's unclear if this was fixing an actual security vulnerability.
Note: The changes appear to be primarily code quality improvements (better error handling, type hints, and documentation) rather than direct security fixes. No clear security vulnerabilities were identified in the diff, but the improved error handling could potentially prevent edge cases that might lead to security issues.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/ConfigProvider.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/ConfigProvider.php@@ -1,10 +1,4 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail;@@ -31,8 +25,8 @@ { return [ // Legacy Zend Framework aliases- 'aliases' => [- \Zend\Mail\Protocol\SmtpPluginManager::class => Protocol\SmtpPluginManager::class,+ 'aliases' => [+ 'Zend\Mail\Protocol\SmtpPluginManager' => Protocol\SmtpPluginManager::class, ], 'factories' => [ Protocol\SmtpPluginManager::class => Protocol\SmtpPluginManagerFactory::class,
Based on the provided code diff, here's the analysis:
1. Vulnerability Existed: no
Documentation Cleanup [include/laminas-mail/src/ConfigProvider.php] [Lines 1-10]
Old Code:
```php
<?php
/**
* @see https://github.com/laminas/laminas-mail for the canonical source repository
* @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md
* @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License
*/
namespace Laminas\Mail;
```
Fixed Code:
```php
<?php
namespace Laminas\Mail;
```
Additional Details: This appears to be a documentation/comment cleanup rather than a security fix.
2. Vulnerability Existed: not sure
Class Alias Change [include/laminas-mail/src/ConfigProvider.php] [Lines 31-32]
Old Code:
```php
'aliases' => [
\Zend\Mail\Protocol\SmtpPluginManager::class => Protocol\SmtpPluginManager::class,
],
```
Fixed Code:
```php
'aliases' => [
'Zend\Mail\Protocol\SmtpPluginManager' => Protocol\SmtpPluginManager::class,
],
```
Additional Details: The change from using `::class` to a string class name might be related to backward compatibility or autoloading, but it's not clear if this addresses any specific security vulnerability. The change could potentially affect how class resolution works, but without more context, we can't be certain about security implications.
No clear security vulnerabilities were identified in this diff. The changes appear to be primarily cosmetic or related to code organization rather than security fixes.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Storage/Part/File.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Storage/Part/File.php@@ -1,20 +1,30 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail\Storage\Part; use Laminas\Mail\Headers; use Laminas\Mail\Storage\Part;+use function count;+use function feof;+use function fgets;+use function fopen;+use function fread;+use function fseek;+use function ftell;+use function is_resource;+use function stream_copy_to_stream;+use function trim;++use const SEEK_END;+ class File extends Part {+ /** @var array */ protected $contentPos = [];+ /** @var array */ protected $partPos = [];+ /** @var resource */ protected $fh; /**@@ -37,18 +47,19 @@ } if (! is_resource($params['file'])) {- $this->fh = fopen($params['file'], 'r');+ $fh = fopen($params['file'], 'r'); } else {- $this->fh = $params['file'];+ $fh = $params['file']; }- if (! $this->fh) {+ if (! $fh) { throw new Exception\RuntimeException('could not open file'); }+ $this->fh = $fh; if (isset($params['startPos'])) { fseek($this->fh, $params['startPos']); } $header = '';- $endPos = isset($params['endPos']) ? $params['endPos'] : null;+ $endPos = $params['endPos'] ?? null; while (($endPos === null || ftell($this->fh) < $endPos) && trim($line = fgets($this->fh))) { $header .= $line; }@@ -76,7 +87,7 @@ } $part = [];- $pos = $this->contentPos[0];+ $pos = $this->contentPos[0]; fseek($this->fh, $pos); while (! feof($this->fh) && ($endPos === null || $pos < $endPos)) { $line = fgets($this->fh);@@ -88,18 +99,18 @@ } $lastPos = $pos;- $pos = ftell($this->fh);- $line = trim($line);+ $pos = ftell($this->fh);+ $line = trim($line); if ($line == '--' . $boundary) { if ($part) { // not first part- $part[1] = $lastPos;+ $part[1] = $lastPos; $this->partPos[] = $part; } $part = [$pos]; } elseif ($line == '--' . $boundary . '--') {- $part[1] = $lastPos;+ $part[1] = $lastPos; $this->partPos[] = $part; break; }@@ -151,7 +162,10 @@ throw new Exception\RuntimeException('part not found'); }- return new static(['file' => $this->fh, 'startPos' => $this->partPos[$num][0],- 'endPos' => $this->partPos[$num][1]]);+ return new static([+ 'file' => $this->fh,+ 'startPos' => $this->partPos[$num][0],+ 'endPos' => $this->partPos[$num][1],+ ]); } }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Resource Handling Vulnerability [File] [Lines 37-47]
[Old Code]
if (! is_resource($params['file'])) {
$this->fh = fopen($params['file'], 'r');
} else {
$this->fh = $params['file'];
}
if (! $this->fh) {
throw new Exception\RuntimeException('could not open file');
}
[Fixed Code]
if (! is_resource($params['file'])) {
$fh = fopen($params['file'], 'r');
} else {
$fh = $params['file'];
}
if (! $fh) {
throw new Exception\RuntimeException('could not open file');
}
$this->fh = $fh;
2. Vulnerability Existed: not sure
Potential Null Byte Injection [File] [Lines 37-47]
The change in file handling could potentially address null byte injection, though this isn't explicitly clear from the diff alone.
3. Vulnerability Existed: yes
Type Safety Improvement [File] [Lines 19-23]
[Old Code]
protected $contentPos = [];
protected $partPos = [];
protected $fh;
[Fixed Code]
/** @var array */
protected $contentPos = [];
/** @var array */
protected $partPos = [];
/** @var resource */
protected $fh;
4. Vulnerability Existed: not sure
Potential Boundary Condition Vulnerability [File] [Lines 76-112]
The changes in boundary handling and position tracking might address potential boundary condition issues, though this isn't explicitly stated.
The most clear security-related improvement is the resource handling vulnerability fix, where the code now properly checks the file handle before assigning it to the class property. The type safety improvements through added PHPDoc comments also help prevent potential type-related security issues. The other potential vulnerabilities are less clear from the diff alone.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Exception/ExceptionInterface.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Exception/ExceptionInterface.php@@ -1,18 +1,14 @@ <?php-/**- * @see https://github.com/laminas/laminas-servicemanager for the canonical source repository- * @copyright https://github.com/laminas/laminas-servicemanager/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-servicemanager/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\ServiceManager\Exception;-use Interop\Container\Exception\ContainerException;+use Psr\Container\ContainerExceptionInterface; /** * Base exception for all Laminas\ServiceManager exceptions. */-interface ExceptionInterface extends ContainerException+interface ExceptionInterface extends ContainerExceptionInterface { }
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
Dependency Update [include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Exception/ExceptionInterface.php] [Lines 1-18]
Old Code:
```
<?php
/**
* @see https://github.com/laminas/laminas-servicemanager for the canonical source repository
* @copyright https://github.com/laminas/laminas-servicemanager/blob/master/COPYRIGHT.md
* @license https://github.com/laminas/laminas-servicemanager/blob/master/LICENSE.md New BSD License
*/
namespace Laminas\ServiceManager\Exception;
use Interop\Container\Exception\ContainerException;
```
Fixed Code:
```
<?php
declare(strict_types=1);
namespace Laminas\ServiceManager\Exception;
use Psr\Container\ContainerExceptionInterface;
```
Additional Details:
- The changes primarily involve:
1. Adding strict type declaration
2. Removing documentation headers
3. Updating the interface dependency from `Interop\Container\Exception\ContainerException` to `Psr\Container\ContainerExceptionInterface`
- These changes appear to be maintenance/standards updates rather than security fixes
- No actual security vulnerabilities are being addressed in this diff
- The change reflects an update to use the PSR-11 standard interface instead of the older Interop container interface
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Transport/FileOptions.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Transport/FileOptions.php@@ -1,33 +1,37 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail\Transport; use Laminas\Mail\Exception;+use Laminas\Mail\Exception\InvalidArgumentException; use Laminas\Stdlib\AbstractOptions;+use function gettype;+use function is_callable;+use function is_dir;+use function is_object;+use function is_writable;+use function mt_rand;+use function sprintf;+use function sys_get_temp_dir;+use function time;++/**+ * @extends AbstractOptions<string|callable>+ */ class FileOptions extends AbstractOptions {- /**- * @var string Path to stored mail files- */+ /** @var string Path to stored mail files */ protected $path;- /**- * @var callable- */+ /** @var callable */ protected $callback; /** * Set path to stored mail files * * @param string $path- * @throws \Laminas\Mail\Exception\InvalidArgumentException+ * @throws InvalidArgumentException * @return FileOptions */ public function setPath($path)@@ -62,7 +66,7 @@ * Set callback used to generate a file name * * @param callable $callback- * @throws \Laminas\Mail\Exception\InvalidArgumentException+ * @throws InvalidArgumentException * @return FileOptions */ public function setCallback($callback)@@ -71,7 +75,7 @@ throw new Exception\InvalidArgumentException(sprintf( '%s expects a valid callback; received "%s"', __METHOD__,- (is_object($callback) ? get_class($callback) : gettype($callback))+ is_object($callback) ? $callback::class : gettype($callback) )); } $this->callback = $callback;@@ -86,9 +90,7 @@ public function getCallback() { if (null === $this->callback) {- $this->setCallback(function () {- return 'LaminasMail_' . time() . '_' . mt_rand() . '.eml';- });+ $this->setCallback(static fn() => 'LaminasMail_' . time() . '_' . mt_rand() . '.eml'); } return $this->callback; }
Here is the analysis of the provided code diff following the requested format: 1. Vulnerability Existed: not sure [Potential Path Traversal] [include/laminas-mail/src/Transport/FileOptions.php] [Lines 33-62] [Old Code] No explicit path validation [Fixed Code] Added is_dir() and is_writable() checks for path validation 2. Vulnerability Existed: not sure [Potential Callback Injection] [include/laminas-mail/src/Transport/FileOptions.php] [Lines 66-75] [Old Code] Basic callback type checking [Fixed Code] Improved type checking with is_callable() and better error message 3. Vulnerability Existed: no [Code Quality Improvement] [include/laminas-mail/src/Transport/FileOptions.php] [Lines 86-92] [Old Code] Anonymous function syntax [Fixed Code] Arrow function syntax (no security impact) 4. Vulnerability Existed: no [Code Quality Improvement] [include/laminas-mail/src/Transport/FileOptions.php] [Lines 1-8] [Old Code] License header present [Fixed Code] License header removed (no security impact) Note: While the changes improve validation and error handling, I couldn't find any definitive security vulnerabilities that were fixed. The changes appear to be primarily code quality improvements and stronger input validation, which could prevent potential security issues but don't necessarily indicate specific vulnerabilities were present.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/LICENSE.md+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/LICENSE.md@@ -1,5 +1,4 @@-Copyright (c) 2019-2020, Laminas Foundation-All rights reserved.+Copyright (c) 2020 Laminas Project a Series of LF Projects, LLC. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Analysis of the provided code diff: 1. Vulnerability Existed: no [License Update] [include/laminas-mail/vendor/laminas/laminas-validator/LICENSE.md] [Lines 1-2] Old Code: `Copyright (c) 2019-2020, Laminas Foundation All rights reserved.` Fixed Code: `Copyright (c) 2020 Laminas Project a Series of LF Projects, LLC.` Additional Details: This appears to be a simple license update/correction rather than a security fix. The change updates the copyright holder information and removes the redundant "All rights reserved" line, which is standard practice in open source licenses. No security vulnerability is being addressed here.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Translator/TranslatorAwareInterface.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Translator/TranslatorAwareInterface.php@@ -1,10 +1,4 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator\Translator;@@ -19,7 +13,7 @@ * Default is null, which skips setTranslatorTextDomain * @return self */- public function setTranslator(TranslatorInterface $translator = null, $textDomain = null);+ public function setTranslator(?TranslatorInterface $translator = null, $textDomain = null); /** * Returns translator used in object
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
Documentation Removal [include/laminas-mail/vendor/laminas/laminas-validator/src/Translator/TranslatorAwareInterface.php] [Lines 1-10]
[Old Code]
<?php
/**
* @see https://github.com/laminas/laminas-validator for the canonical source repository
* @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md
* @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License
*/
[Fixed Code]
<?php
2. Vulnerability Existed: no
Type Hint Update [include/laminas-mail/vendor/laminas/laminas-validator/src/Translator/TranslatorAwareInterface.php] [Line 19]
[Old Code]
public function setTranslator(TranslatorInterface $translator = null, $textDomain = null);
[Fixed Code]
public function setTranslator(?TranslatorInterface $translator = null, $textDomain = null);
The changes appear to be:
1. Removal of documentation headers (copyright/license information)
2. Update to use PHP 7.1+ nullable type hint syntax (?Type)
Neither of these changes appear to be security-related fixes. The first is documentation cleanup and the second is a syntax modernization. No security vulnerabilities are addressed in this diff.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-stdlib/src/Exception/BadMethodCallException.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-stdlib/src/Exception/BadMethodCallException.php@@ -1,10 +1,6 @@ <?php-/**- * @see https://github.com/laminas/laminas-stdlib for the canonical source repository- * @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\Stdlib\Exception;
Based on the provided diff, I'll analyze it for security fixes:
1. Vulnerability Existed: no
No specific vulnerability found [File] include/laminas-mail/vendor/laminas/laminas-stdlib/src/Exception/BadMethodCallException.php [Lines] 1-10
Old Code:
```php
<?php
/**
* @see https://github.com/laminas/laminas-stdlib for the canonical source repository
* @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md
* @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License
*/
```
Fixed Code:
```php
<?php
declare(strict_types=1);
```
The changes appear to be:
1. Removal of documentation comments (license/copyright information)
2. Addition of strict type declaration
This doesn't appear to be a security fix but rather a code style/quality improvement. The addition of strict_types=1 can help prevent certain types of type-related bugs but doesn't directly address any known vulnerability.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/class.validator.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/class.validator.php@@ -367,7 +367,8 @@ $aclbk = $cfg->getACLBackend(); switch($backend) { case 'client':- if (in_array($aclbk, array(0,3)))+ if (in_array($aclbk, array(0,3))+ || ($aclbk == 2 && StaffAuthenticationBackend::getUser())) return true; break; case 'staff':
Let me analyze the code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential ACL Bypass or Improper Access Control] [include/class.validator.php] [Lines 367-370]
[Old Code]
if (in_array($aclbk, array(0,3)))
[Fixed Code]
if (in_array($aclbk, array(0,3))
|| ($aclbk == 2 && StaffAuthenticationBackend::getUser()))
Analysis:
The change appears to modify the access control logic by adding an additional condition where access is granted if $aclbk is 2 AND StaffAuthenticationBackend::getUser() returns true. This suggests the original code might have been too restrictive in certain authentication backend configurations (specifically type 2). While this could potentially fix an access control issue, without more context about the ACL backend types and their intended behavior, I can't definitively say if this was fixing a security vulnerability or just improving functionality. The change does appear security-relevant as it affects authorization logic.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/staff/profile.inc.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/staff/profile.inc.php@@ -84,7 +84,7 @@ <tr> <td><?php echo __('Mobile Number');?>:</td> <td>- <input type="tel" size="18" name="mobile" class="auto phone"+ <input type="tel" size="18" name="mobile" class="auto mobile" value="<?php echo Format::htmlchars($staff->mobile); ?>" /> <div class="error"><?php echo $errors['mobile']; ?></div> </td>
Let me analyze the code diff for potential security vulnerabilities:
Vulnerability Existed: not sure
[Potential HTML/Attribute Injection] [include/staff/profile.inc.php] [Lines 84-87]
[Old Code]
<input type="tel" size="18" name="mobile" class="auto phone"
value="<?php echo Format::htmlchars($staff->mobile); ?>" />
[Fixed Code]
<input type="tel" size="18" name="mobile" class="auto mobile"
value="<?php echo Format::htmlchars($staff->mobile); ?>" />
Additional Details:
1. The change appears to be primarily a class name change from "phone" to "mobile"
2. The Format::htmlchars() function is properly used to escape output in both versions
3. No obvious security vulnerability is introduced or fixed in this change
4. The change might be related to frontend functionality rather than security
Note: While there's no clear security vulnerability fixed here, the change could potentially be part of a larger security update where the class name change affects how input validation is handled in JavaScript. However, without seeing the corresponding JavaScript changes, I can't be certain.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.