Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/manage.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/manage.php@@ -18,10 +18,12 @@ vim: expandtab sw=4 ts=4 sts=4: **********************************************************************/-if (PHP_SAPI != "cli")+require_once 'bootstrap.php';++// Make sure the script is executed via CLI+if (!osTicket::is_cli()) die("Management only supported from command-line\n");-require_once 'bootstrap.php'; require_once CLI_DIR . 'cli.inc.php'; class Manager extends Module { var $prologue =
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: yes [CLI Execution Restriction Bypass] [manage.php] [Lines 18-20] [Old Code] if (PHP_SAPI != "cli") [Fixed Code] if (!osTicket::is_cli()) Additional Details: - The vulnerability was a potential CLI execution restriction bypass. The old code only checked PHP_SAPI, which could potentially be spoofed or bypassed in some environments. - The fixed code uses a more robust method (osTicket::is_cli()) to verify CLI execution, which likely includes additional checks beyond just PHP_SAPI. - This change makes it harder for attackers to potentially execute management functions through non-CLI interfaces (like web requests) by spoofing the PHP_SAPI value.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Storage.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Storage.php@@ -1,10 +1,4 @@ <?php--/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Mail;@@ -12,12 +6,12 @@ { // maildir and IMAP flags, using IMAP names, where possible to be able to distinguish between IMAP // system flags and other flags- const FLAG_PASSED = 'Passed';- const FLAG_SEEN = '\Seen';- const FLAG_UNSEEN = '\Unseen';- const FLAG_ANSWERED = '\Answered';- const FLAG_FLAGGED = '\Flagged';- const FLAG_DELETED = '\Deleted';- const FLAG_DRAFT = '\Draft';- const FLAG_RECENT = '\Recent';+ public const FLAG_PASSED = 'Passed';+ public const FLAG_SEEN = '\Seen';+ public const FLAG_UNSEEN = '\Unseen';+ public const FLAG_ANSWERED = '\Answered';+ public const FLAG_FLAGGED = '\Flagged';+ public const FLAG_DELETED = '\Deleted';+ public const FLAG_DRAFT = '\Draft';+ public const FLAG_RECENT = '\Recent'; }
Here's the analysis of the provided code diff following the specified format: 1. Vulnerability Existed: no The diff shows changes to constant visibility and removal of documentation header, but no security vulnerability is identified in these changes. File: include/laminas-mail/src/Storage.php Lines: 1-12 Old Code: ```php <?php /** * @see https://github.com/laminas/laminas-mail for the canonical source repository * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License */ namespace Laminas\Mail; abstract class Storage { // maildir and IMAP flags, using IMAP names, where possible to be able to distinguish between IMAP // system flags and other flags const FLAG_PASSED = 'Passed'; const FLAG_SEEN = '\Seen'; const FLAG_UNSEEN = '\Unseen'; const FLAG_ANSWERED = '\Answered'; const FLAG_FLAGGED = '\Flagged'; const FLAG_DELETED = '\Deleted'; const FLAG_DRAFT = '\Draft'; const FLAG_RECENT = '\Recent'; ``` Fixed Code: ```php <?php namespace Laminas\Mail; abstract class Storage { // maildir and IMAP flags, using IMAP names, where possible to be able to distinguish between IMAP // system flags and other flags public const FLAG_PASSED = 'Passed'; public const FLAG_SEEN = '\Seen'; public const FLAG_UNSEEN = '\Unseen'; public const FLAG_ANSWERED = '\Answered'; public const FLAG_FLAGGED = '\Flagged'; public const FLAG_DELETED = '\Deleted'; public const FLAG_DRAFT = '\Draft'; public const FLAG_RECENT = '\Recent'; ``` The changes made in this diff are: 1. Removal of documentation header (copyright/license information) 2. Changing class constants from implicit public visibility to explicit public visibility (PHP 7.1+ feature) Neither of these changes appears to be security-related. The constant visibility change is a code style/readability improvement, and the header removal is likely just cleanup. No security vulnerabilities are being fixed in this diff.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Hex.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Hex.php@@ -1,17 +1,15 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator;+use function ctype_xdigit;+use function is_int;+use function is_string;+ class Hex extends AbstractValidator {- const INVALID = 'hexInvalid';- const NOT_HEX = 'notHex';+ public const INVALID = 'hexInvalid';+ public const NOT_HEX = 'notHex'; /** * Validation failure message template definitions@@ -26,7 +24,7 @@ /** * Returns true if and only if $value contains only hexadecimal digit characters *- * @param string $value+ * @param mixed $value * @return bool */ public function isValid($value)
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Type Safety Improvement] [include/laminas-mail/vendor/laminas/laminas-validator/src/Hex.php] [Lines 26-27] Old Code: `@param string $value` Fixed Code: `@param mixed $value` Note: The change from strictly typing `$value` as string to accepting mixed input could potentially introduce type-related security issues if not properly validated, though the actual impact depends on the implementation. 2. Vulnerability Existed: yes [Missing Input Validation] [include/laminas-mail/vendor/laminas/laminas-validator/src/Hex.php] [Lines 1-15] Old Code: No explicit use statements for validation functions Fixed Code: Added `use function ctype_xdigit; use function is_int; use function is_string;` Note: The addition of explicit use statements for validation functions suggests improved input validation, though we don't see the full implementation. This helps prevent potential type juggling vulnerabilities. 3. Vulnerability Existed: not sure [Visibility Change] [include/laminas-mail/vendor/laminas/laminas-validator/src/Hex.php] [Lines 8-9] Old Code: `const INVALID = 'hexInvalid'; const NOT_HEX = 'notHex';` Fixed Code: `public const INVALID = 'hexInvalid'; public const NOT_HEX = 'notHex';` Note: While changing constant visibility from implicit to explicit public isn't directly a security fix, it improves code clarity which can help prevent misuse. The security impact would depend on how these constants are used.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Tool/ConfigDumperCommand.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Tool/ConfigDumperCommand.php@@ -1,25 +1,50 @@ <?php-/**- * @see https://github.com/laminas/laminas-servicemanager for the canonical source repository- * @copyright https://github.com/laminas/laminas-servicemanager/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-servicemanager/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\ServiceManager\Tool; use Laminas\ServiceManager\Exception; use Laminas\Stdlib\ConsoleHelper;+use function array_shift;+use function class_exists;+use function dirname;+use function file_exists;+use function file_put_contents;+use function in_array;+use function is_array;+use function is_writable;+use function sprintf;++use const STDERR;+use const STDOUT;++/**+ * @psalm-type HelpObject = object{+ * command: string+ * }+ * @psalm-type ErrorObject = object{+ * command: string,+ * message: string+ * }+ * @psalm-type ArgumentObject = object{+ * command: string,+ * configFile: string,+ * config: array<array-key, mixed>,+ * class: string,+ * ignoreUnresolved: bool+ * }+ */ class ConfigDumperCommand {- const COMMAND_DUMP = 'dump';- const COMMAND_ERROR = 'error';- const COMMAND_HELP = 'help';-- const DEFAULT_SCRIPT_NAME = __CLASS__;-- const HELP_TEMPLATE = <<< EOH+ public const COMMAND_DUMP = 'dump';+ public const COMMAND_ERROR = 'error';+ public const COMMAND_HELP = 'help';++ public const DEFAULT_SCRIPT_NAME = self::class;++ public const HELP_TEMPLATE = <<<EOH <info>Usage:</info> %s [-h|--help|help] [-i|--ignore-unresolved] <configFile> <className>@@ -41,22 +66,13 @@ the provided class name, writing the changes back to the file. EOH;- /**- * @var ConsoleHelper- */- private $helper;-- /**- * @var string- */- private $scriptName;+ private ConsoleHelper $helper; /** * @param string $scriptName */- public function __construct($scriptName = self::DEFAULT_SCRIPT_NAME, ConsoleHelper $helper = null)- {- $this->scriptName = $scriptName;+ public function __construct(private $scriptName = self::DEFAULT_SCRIPT_NAME, ?ConsoleHelper $helper = null)+ { $this->helper = $helper ?: new ConsoleHelper(); }@@ -109,12 +125,11 @@ } /**- * @param array $args- * @return \stdClass+ * @return object */ private function parseArgs(array $args) {- if (! count($args)) {+ if (! $args) { return $this->createHelpArgument(); }@@ -127,10 +142,10 @@ $ignoreUnresolved = false; if (in_array($arg1, ['-i', '--ignore-unresolved'], true)) { $ignoreUnresolved = true;- $arg1 = array_shift($args);- }-- if (! count($args)) {+ $arg1 = array_shift($args);+ }++ if (! $args) { return $this->createErrorArgument('Missing class name'); }@@ -192,7 +207,7 @@ * @param array $config Parsed configuration. * @param string $class Name of class to reflect. * @param bool $ignoreUnresolved If to ignore classes with unresolved direct dependencies.- * @return \stdClass+ * @return ArgumentObject */ private function createArguments($command, $configFile, $config, $class, $ignoreUnresolved) {@@ -207,7 +222,7 @@ /** * @param string $message- * @return \stdClass+ * @return ErrorObject */ private function createErrorArgument($message) {@@ -218,7 +233,7 @@ } /**- * @return \stdClass+ * @return HelpObject */ private function createHelpArgument() {
Let me analyze the code diff for potential security vulnerabilities: 1. Vulnerability Existed: not sure [Potential Type Safety Improvement] [include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Tool/ConfigDumperCommand.php] [Lines throughout file] [Old Code: No type hints, loose comparisons] [Fixed Code: Added strict_types=1, type hints, and stricter comparisons] 2. Vulnerability Existed: not sure [Potential Information Disclosure] [include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Tool/ConfigDumperCommand.php] [Lines throughout file] [Old Code: No explicit visibility modifiers for constants] [Fixed Code: Added public visibility to constants] 3. Vulnerability Existed: not sure [Potential Code Injection] [include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Tool/ConfigDumperCommand.php] [Lines throughout file] [Old Code: Less strict parameter validation] [Fixed Code: Added more specific type hints and Psalm annotations] Note: While this diff shows significant code quality improvements (strict typing, better type hints, visibility modifiers), I couldn't identify any clear security vulnerabilities that were fixed. The changes appear to be more about code robustness and maintainability rather than direct security fixes. The improvements in type safety could indirectly prevent certain types of vulnerabilities, but there's no clear evidence of a specific vulnerability being patched.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Protocol/ProtocolTrait.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Protocol/ProtocolTrait.php@@ -1,19 +1,33 @@ <?php-/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */+namespace Laminas\Mail\Protocol;-namespace Laminas\Mail\Protocol;+use Laminas\Stdlib\ErrorHandler;++use function defined;+use function sprintf;+use function stream_context_create;+use function stream_set_timeout;+use function stream_socket_client;++use const STREAM_CLIENT_CONNECT;+use const STREAM_CRYPTO_METHOD_TLS_CLIENT;+use const STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT;+use const STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT; /** * https://bugs.php.net/bug.php?id=69195 */ trait ProtocolTrait {- public function getCryptoMethod()+ /**+ * If set to true, do not validate the SSL certificate+ *+ * @var null|bool+ */+ protected $novalidatecert;++ public function getCryptoMethod(): int { // Allow the best TLS version(s) we can $cryptoMethod = STREAM_CRYPTO_METHOD_TLS_CLIENT;@@ -27,4 +41,82 @@ return $cryptoMethod; }++ /**+ * Do not validate SSL certificate+ *+ * @todo Update to return self when minimum supported PHP version is 7.4++ * @param bool $novalidatecert Set to true to disable certificate validation+ * @return $this+ */+ public function setNoValidateCert(bool $novalidatecert)+ {+ $this->novalidatecert = $novalidatecert;+ return $this;+ }++ /**+ * Should we validate SSL certificate?+ */+ public function validateCert(): bool+ {+ return ! $this->novalidatecert;+ }++ /**+ * Prepare socket options+ *+ * @return array+ */+ private function prepareSocketOptions(): array+ {+ return $this->novalidatecert+ ? [+ 'ssl' => [+ 'verify_peer_name' => false,+ 'verify_peer' => false,+ ],+ ]+ : [];+ }++ /**+ * Setup connection socket+ *+ * @param string $host hostname or IP address of IMAP server+ * @param int|null $port of IMAP server, default is 143 (993 for ssl)+ * @param int $timeout timeout in seconds for initiating session+ * @return resource The socket created.+ * @throws Exception\RuntimeException If unable to connect to host.+ */+ protected function setupSocket(+ string $transport,+ string $host,+ ?int $port,+ int $timeout+ ) {+ ErrorHandler::start();+ $socket = stream_socket_client(+ sprintf('%s://%s:%d', $transport, $host, $port),+ $errno,+ $errstr,+ $timeout,+ STREAM_CLIENT_CONNECT,+ stream_context_create($this->prepareSocketOptions())+ );+ $error = ErrorHandler::stop();++ if (! $socket) {+ throw new Exception\RuntimeException(sprintf(+ 'cannot connect to host%s',+ $error ? sprintf('; error = %s (errno = %d )', $error->getMessage(), $error->getCode()) : ''+ ), 0, $error);+ }++ if (false === stream_set_timeout($socket, $timeout)) {+ throw new Exception\RuntimeException('Could not set stream timeout');+ }++ return $socket;+ } }
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: yes [SSL/TLS Certificate Validation Bypass] [include/laminas-mail/src/Protocol/ProtocolTrait.php] [Lines added throughout file] [Old Code] No previous implementation of certificate validation controls [Fixed Code] Added certificate validation controls including: - `novalidatecert` property - `setNoValidateCert()` method - `validateCert()` method - `prepareSocketOptions()` method that configures SSL context based on validation setting 2. Vulnerability Existed: yes [Insecure TLS Protocol Support] [include/laminas-mail/src/Protocol/ProtocolTrait.php] [Lines 27-41] [Old Code] Basic TLS method selection without explicit version support [Fixed Code] Enhanced `getCryptoMethod()` to explicitly support TLS 1.1 and 1.2 when available: ``` $cryptoMethod = STREAM_CRYPTO_METHOD_TLS_CLIENT; if (defined('STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT')) { $cryptoMethod |= STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT; } if (defined('STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT')) { $cryptoMethod |= STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT; } ``` 3. Vulnerability Existed: not sure [Potential Timing Attack] [include/laminas-mail/src/Protocol/ProtocolTrait.php] [Lines 95-107] [Old Code] No previous socket setup implementation [Fixed Code] New `setupSocket()` method that includes error handling but doesn't explicitly address timing attacks in the connection process The main security improvements are: 1. Added explicit control over SSL certificate validation 2. Enhanced TLS protocol version support 3. Added proper error handling for socket connections The changes significantly improve the security of the protocol implementation by giving more control over security-related settings and supporting modern TLS versions.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/File/Sha1.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/File/Sha1.php@@ -1,12 +1,11 @@ <?php-/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */+namespace Laminas\Validator\File;-namespace Laminas\Validator\File;+use function array_keys;+use function array_unique;+use function hash_file;+use function is_readable; /** * Validator for the sha1 hash of given files@@ -18,13 +17,11 @@ /** * @const string Error constants */- const DOES_NOT_MATCH = 'fileSha1DoesNotMatch';- const NOT_DETECTED = 'fileSha1NotDetected';- const NOT_FOUND = 'fileSha1NotFound';+ public const DOES_NOT_MATCH = 'fileSha1DoesNotMatch';+ public const NOT_DETECTED = 'fileSha1NotDetected';+ public const NOT_FOUND = 'fileSha1NotFound';- /**- * @var array Error message templates- */+ /** @var array Error message templates */ protected $messageTemplates = [ self::DOES_NOT_MATCH => 'File does not match the given sha1 hashes', self::NOT_DETECTED => 'A sha1 hash could not be evaluated for the given file',@@ -78,8 +75,8 @@ /** * Returns true if and only if the given file confirms the set hash *- * @param string $value|array Filename to check for hash- * @param array $file File data from \Laminas\File\Transfer\Transfer (optional)+ * @param (int|string)[]|string $value Filename to check for hash+ * @param array $file File data from \Laminas\File\Transfer\Transfer (optional) * @return bool */ public function isValid($value, $file = null)
Analyzing the provided code diff, here's the security analysis following the requested format: 1. Vulnerability Existed: not sure [Potential Information Disclosure] [include/laminas-mail/vendor/laminas/laminas-validator/src/File/Sha1.php] [Lines 1-5] [Old Code: Contains copyright and license information in docblock] [Fixed Code: Removed docblock comments] 2. Vulnerability Existed: yes [Insecure Constant Visibility] [include/laminas-mail/vendor/laminas/laminas-validator/src/File/Sha1.php] [Lines 18-20] [Old Code: `const DOES_NOT_MATCH = 'fileSha1DoesNotMatch';` (implicitly public)] [Fixed Code: `public const DOES_NOT_MATCH = 'fileSha1DoesNotMatch';` (explicitly public)] 3. Vulnerability Existed: not sure [Potential Type Safety Issue] [include/laminas-mail/vendor/laminas/laminas-validator/src/File/Sha1.php] [Lines 78-79] [Old Code: `@param string $value|array Filename to check for hash`] [Fixed Code: `@param (int|string)[]|string $value Filename to check for hash`] Additional notes: - The first change (removing docblock) might be related to reducing information disclosure, though this is not a direct security vulnerability. - The constant visibility change improves code security by making visibility explicit, which is a security best practice. - The parameter type hint change improves type safety, which could prevent potential type-related security issues, though the direct security impact is unclear.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/StaticValidator.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/StaticValidator.php@@ -1,29 +1,23 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator; use Laminas\ServiceManager\ServiceManager;+use function array_values;+use function method_exists;+ class StaticValidator {- /**- * @var ValidatorPluginManager- */+ /** @var ValidatorPluginManager|null */ protected static $plugins; /** * Set plugin manager to use for locating validators *- * @param ValidatorPluginManager|null $plugins * @return void */- public static function setPluginManager(ValidatorPluginManager $plugins = null)+ public static function setPluginManager(?ValidatorPluginManager $plugins = null) { // Don't share by default to allow different arguments on subsequent calls if ($plugins instanceof ValidatorPluginManager) {@@ -44,21 +38,23 @@ */ public static function getPluginManager() {- if (null === static::$plugins) {- static::setPluginManager(new ValidatorPluginManager(new ServiceManager));+ if (! static::$plugins instanceof ValidatorPluginManager) {+ $plugins = new ValidatorPluginManager(new ServiceManager());+ static::setPluginManager($plugins);++ return $plugins; } return static::$plugins; } /**- * @param mixed $value- * @param string $classBaseName- * @param array $options OPTIONAL associative array of options to pass as- * the sole argument to the validator constructor.+ * @param class-string<ValidatorInterface> $classBaseName+ * @param array $options OPTIONAL associative array of options to pass as+ * the sole argument to the validator constructor. * @return bool- * @throws Exception\InvalidArgumentException for an invalid $options argument.+ * @throws Exception\InvalidArgumentException For an invalid $options argument. */- public static function execute($value, $classBaseName, array $options = [])+ public static function execute(mixed $value, $classBaseName, array $options = []) { if ($options && array_values($options) === $options) { throw new Exception\InvalidArgumentException(@@ -66,9 +62,9 @@ ); }- $plugins = static::getPluginManager();+ $plugins = static::getPluginManager();+ $validator = $plugins->get($classBaseName, $options);- $validator = $plugins->get($classBaseName, $options); return $validator->isValid($value); } }
I'll analyze the code diff for security vulnerabilities following the specified format. 1. Vulnerability Existed: not sure [Potential Type Safety Issue] [include/laminas-mail/vendor/laminas/laminas-validator/src/StaticValidator.php] [Lines 1-29 vs 1-23] [Old Code] /** * @see https://github.com/laminas/laminas-validator for the canonical source repository * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License */ [Fixed Code] [Header documentation removed] Additional Details: The removal of license and copyright headers doesn't directly indicate a security vulnerability, but it might affect code provenance verification. 2. Vulnerability Existed: not sure [Potential Null Reference Issue] [include/laminas-mail/vendor/laminas/laminas-validator/src/StaticValidator.php] [Lines 44-50] [Old Code] if (null === static::$plugins) { static::setPluginManager(new ValidatorPluginManager(new ServiceManager)); } [Fixed Code] if (! static::$plugins instanceof ValidatorPluginManager) { $plugins = new ValidatorPluginManager(new ServiceManager()); static::setPluginManager($plugins); return $plugins; } Additional Details: The change improves type safety by explicitly checking for ValidatorPluginManager instance rather than just null check, which could prevent potential null reference issues. 3. Vulnerability Existed: not sure [Potential Input Validation Improvement] [include/laminas-mail/vendor/laminas/laminas-validator/src/StaticValidator.php] [Lines 56-62] [Old Code] public static function execute($value, $classBaseName, array $options = []) [Fixed Code] public static function execute(mixed $value, $classBaseName, array $options = []) Additional Details: The change adds type hints which could help prevent type-related security issues, though it's not a direct security fix. 4. Vulnerability Existed: not sure [Potential Argument Validation] [include/laminas-mail/vendor/laminas/laminas-validator/src/StaticValidator.php] [Lines 66-72] [Old Code] $plugins = static::getPluginManager(); $validator = $plugins->get($classBaseName, $options); [Fixed Code] $plugins = static::getPluginManager(); $validator = $plugins->get($classBaseName, $options); Additional Details: The change in code organization doesn't appear to be security-related, though the validation of $options earlier in the method might help prevent some injection attacks. Note: While none of these changes clearly fix known vulnerabilities, they collectively improve code quality and type safety, which could indirectly address potential security issues. The most significant change is the improved plugin manager instance checking.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/scp/dashboard.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/scp/dashboard.php@@ -35,9 +35,9 @@ Http::download("stats-$group-$ts.csv", 'text/csv'); $output = fopen('php://output', 'w'); fputs($output, chr(0xEF) . chr(0xBB) . chr(0xBF));- fputcsv($output, $data['columns'], $delimiter);+ fputcsv($output, $data['columns'], $delimiter, "\"", ""); foreach ($data['data'] as $row)- fputcsv($output, $row, $delimiter);+ fputcsv($output, $row, $delimiter, "\"", ""); exit; } }
Here's the analysis of the provided code diff: 1. Vulnerability Existed: yes CSV Injection Vulnerability [scp/dashboard.php] [Lines 35-38] Old Code: ```php fputcsv($output, $data['columns'], $delimiter); foreach ($data['data'] as $row) fputcsv($output, $row, $delimiter); ``` Fixed Code: ```php fputcsv($output, $data['columns'], $delimiter, "\"", ""); foreach ($data['data'] as $row) fputcsv($output, $row, $delimiter, "\"", ""); ``` Additional Details: The fix adds proper CSV escaping parameters to prevent CSV injection (formula injection) attacks. The added parameters ensure proper quoting of fields and escaping of special characters that could be interpreted as formulas in spreadsheet applications.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-stdlib/src/Response.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-stdlib/src/Response.php@@ -1,10 +1,6 @@ <?php-/**- * @see https://github.com/laminas/laminas-stdlib for the canonical source repository- * @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\Stdlib;
Based on the provided diff, I'll analyze it for security vulnerabilities: 1. Vulnerability Existed: no No specific vulnerability found [File] include/laminas-mail/vendor/laminas/laminas-stdlib/src/Response.php [Lines] 1-10 [Old Code] /** * @see https://github.com/laminas/laminas-stdlib for the canonical source repository * @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md * @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License */ [Fixed Code] declare(strict_types=1); The changes shown in the diff are: 1. Removal of documentation comments (license, copyright, and repository information) 2. Addition of strict type declaration These changes don't appear to address any specific security vulnerability but rather: - The strict_types declaration improves type safety (a general code quality improvement) - The removed comments were just documentation/boilerplate No known security vulnerability patterns (like XSS, SQLi, etc.) are being addressed here. The changes seem to be more about code style and type safety than security fixes.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-stdlib/src/StringWrapper/Intl.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-stdlib/src/StringWrapper/Intl.php@@ -1,14 +1,15 @@ <?php-/**- * @see https://github.com/laminas/laminas-stdlib for the canonical source repository- * @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\Stdlib\StringWrapper; use Laminas\Stdlib\Exception;++use function extension_loaded;+use function grapheme_strlen;+use function grapheme_strpos;+use function grapheme_substr; class Intl extends AbstractStringWrapper {@@ -47,11 +48,12 @@ * Returns the length of the given string * * @param string $str- * @return int|false+ * @return false|int */ public function strlen($str) {- return grapheme_strlen($str);+ $len = grapheme_strlen($str);+ return $len ?? false; } /**
Here's the analysis of the provided code diff following the specified format: 1. Vulnerability Existed: not sure [Potential Null Dereference] [include/laminas-mail/vendor/laminas/laminas-stdlib/src/StringWrapper/Intl.php] [Lines 47-54] [Old Code] public function strlen($str) { return grapheme_strlen($str); } [Fixed Code] public function strlen($str) { $len = grapheme_strlen($str); return $len ?? false; } Additional Details: - The change adds null coalescing to handle potential null returns from grapheme_strlen() - While not a confirmed vulnerability, this could prevent potential null dereference issues - The fix makes the return type handling more robust 2. Vulnerability Existed: yes [Missing Strict Types Declaration] [include/laminas-mail/vendor/laminas/laminas-stdlib/src/StringWrapper/Intl.php] [Lines 1-5] [Old Code] /** * @see https://github.com/laminas/laminas-stdlib for the canonical source repository * @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md * @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License */ [Fixed Code] declare(strict_types=1); Additional Details: - The addition of strict_types=1 helps prevent type juggling vulnerabilities - This is a security hardening measure rather than fixing a specific vulnerability Note: The changes also include additional use statements for functions, but these appear to be code organization improvements rather than security fixes.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Config.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Config.php@@ -1,15 +1,12 @@ <?php-/**- * @see https://github.com/laminas/laminas-servicemanager for the canonical source repository- * @copyright https://github.com/laminas/laminas-servicemanager/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-servicemanager/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\ServiceManager;-use Laminas\Stdlib\ArrayUtils\MergeRemoveKey;-use Laminas\Stdlib\ArrayUtils\MergeReplaceKeyInterface;+use Laminas\Stdlib\ArrayUtils;++use function array_keys; /** * Object for defining configuration and configuring an existing service manager instance.@@ -25,26 +22,29 @@ * * These features are advanced, and not typically used. If you wish to use them, * you will need to require the laminas-stdlib package in your application.+ *+ * @deprecated Class will be removed as of v4.0+ *+ * @psalm-import-type ServiceManagerConfigurationType from ConfigInterface */ class Config implements ConfigInterface {- /**- * @var array- */- private $allowedKeys = [+ /** @var array<string,bool> */+ private array $allowedKeys = [ 'abstract_factories' => true,- 'aliases' => true,- 'delegators' => true,- 'factories' => true,- 'initializers' => true,- 'invokables' => true,- 'lazy_services' => true,- 'services' => true,- 'shared' => true,+ 'aliases' => true,+ 'delegators' => true,+ 'factories' => true,+ 'initializers' => true,+ 'invokables' => true,+ 'lazy_services' => true,+ 'services' => true,+ 'shared' => true, ]; /**- * @var array+ * @var array<string,array>+ * @psalm-var ServiceManagerConfigurationType */ protected $config = [ 'abstract_factories' => [],@@ -59,7 +59,7 @@ ]; /**- * @param array $config+ * @psalm-param ServiceManagerConfigurationType $config */ public function __construct(array $config = []) {@@ -69,11 +69,13 @@ unset($config[$key]); } }++ /** @psalm-suppress ArgumentTypeCoercion */ $this->config = $this->merge($this->config, $config); } /**- * @inheritdoc+ * @inheritDoc */ public function configureServiceManager(ServiceManager $serviceManager) {@@ -81,7 +83,7 @@ } /**- * @inheritdoc+ * @inheritDoc */ public function toArray() {@@ -89,32 +91,12 @@ } /**- * Copy paste from https://github.com/laminas/laminas-stdlib/commit/26fcc32a358aa08de35625736095cb2fdaced090- * to keep compatibility with previous version- *- * @link https://github.com/zendframework/zend-servicemanager/pull/68+ * @psalm-param ServiceManagerConfigurationType $a+ * @psalm-param ServiceManagerConfigurationType $b+ * @psalm-return ServiceManagerConfigurationType */ private function merge(array $a, array $b) {- foreach ($b as $key => $value) {- if ($value instanceof MergeReplaceKeyInterface) {- $a[$key] = $value->getData();- } elseif (isset($a[$key]) || array_key_exists($key, $a)) {- if ($value instanceof MergeRemoveKey) {- unset($a[$key]);- } elseif (is_int($key)) {- $a[] = $value;- } elseif (is_array($value) && is_array($a[$key])) {- $a[$key] = $this->merge($a[$key], $value);- } else {- $a[$key] = $value;- }- } else {- if (! $value instanceof MergeRemoveKey) {- $a[$key] = $value;- }- }- }- return $a;+ return ArrayUtils::merge($a, $b); } }
After analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily code quality improvements, type safety enhancements, and modernization of the codebase. Here's my analysis: 1. Vulnerability Existed: no The changes mainly involve: - Adding strict type declarations - Updating type hints and documentation - Simplifying the merge functionality by using ArrayUtils::merge() - Adding deprecation notice - Improving code formatting and consistency The changes don't appear to address any specific security vulnerabilities but rather improve the code quality and maintainability. The removal of the custom merge implementation in favor of using ArrayUtils::merge() could potentially prevent some edge cases, but I don't see evidence this was fixing a known vulnerability. The most significant change is the replacement of the custom merge implementation with ArrayUtils::merge(), but this appears to be a code simplification rather than a security fix. The original merge implementation had proper handling of edge cases through the MergeReplaceKeyInterface and MergeRemoveKey classes. No CVE or specific vulnerability names are referenced in the changes, and the commit messages (while not shown in the diff) would likely mention if this was addressing a security issue.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-stdlib/src/Guard/NullGuardTrait.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-stdlib/src/Guard/NullGuardTrait.php@@ -1,12 +1,13 @@ <?php-/**- * @see https://github.com/laminas/laminas-stdlib for the canonical source repository- * @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\Stdlib\Guard;++use Exception;+use Laminas\Stdlib\Exception\InvalidArgumentException;++use function sprintf; /** * Provide a guard method against null data@@ -16,15 +17,16 @@ /** * Verify that the data is not null *- * @param mixed $data the data to verify- * @param string $dataName the data name- * @param string $exceptionClass FQCN for the exception- * @throws \Exception+ * @param mixed $data the data to verify+ * @param string $dataName the data name+ * @param string $exceptionClass FQCN for the exception+ * @return void+ * @throws Exception */ protected function guardAgainstNull(- $data,+ mixed $data, $dataName = 'Argument',- $exceptionClass = 'Laminas\Stdlib\Exception\InvalidArgumentException'+ $exceptionClass = InvalidArgumentException::class ) { if (null === $data) { $message = sprintf('%s cannot be null', $dataName);
Let me analyze the code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Type Safety Improvement] [include/laminas-mail/vendor/laminas/laminas-stdlib/src/Guard/NullGuardTrait.php] [Lines 1-28] [Old Code] ```php <?php /** * @see https://github.com/laminas/laminas-stdlib for the canonical source repository * @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md * @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License */ namespace Laminas\Stdlib\Guard; /** * Provide a guard method against null data */ trait NullGuardTrait { /** * Verify that the data is not null * * @param mixed $data the data to verify * @param string $dataName the data name * @param string $exceptionClass FQCN for the exception * @throws \Exception */ protected function guardAgainstNull( $data, $dataName = 'Argument', $exceptionClass = 'Laminas\Stdlib\Exception\InvalidArgumentException' ) { if (null === $data) { $message = sprintf('%s cannot be null', $dataName); ``` [Fixed Code] ```php <?php declare(strict_types=1); namespace Laminas\Stdlib\Guard; use Exception; use Laminas\Stdlib\Exception\InvalidArgumentException; use function sprintf; /** * Provide a guard method against null data */ trait NullGuardTrait { /** * Verify that the data is not null * * @param mixed $data the data to verify * @param string $dataName the data name * @param string $exceptionClass FQCN for the exception * @return void * @throws Exception */ protected function guardAgainstNull( mixed $data, $dataName = 'Argument', $exceptionClass = InvalidArgumentException::class ) { if (null === $data) { $message = sprintf('%s cannot be null', $dataName); ``` Additional Details: The changes include: - Added strict_types declaration - Added proper type hints (mixed for $data) - Using class constant (InvalidArgumentException::class) instead of string - Added proper use statements - Improved documentation While these changes improve code quality and type safety, they don't appear to fix a specific security vulnerability. The changes are more about modernizing the code and following better practices.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Code25interleaved.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Code25interleaved.php@@ -1,10 +1,4 @@ <?php--/**- * @see https://github.com/laminas/laminas-validator for the canonical source repository- * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License- */ namespace Laminas\Validator\Barcode;
Based on the provided diff, I'll analyze it for security vulnerabilities: 1. Vulnerability Existed: not sure [Potential Information Disclosure] [include/laminas-mail/vendor/laminas/laminas-validator/src/Barcode/Code25interleaved.php] [Lines 1-10] [Old Code: <?php /** * @see https://github.com/laminas/laminas-validator for the canonical source repository * @copyright https://github.com/laminas/laminas-validator/blob/master/COPYRIGHT.md * @license https://github.com/laminas/laminas-validator/blob/master/LICENSE.md New BSD License */ ] [Fixed Code: <?php ] Additional Details: The diff shows removal of documentation headers (license, copyright, and repository information). While this doesn't appear to be a direct security vulnerability fix, it could be related to: 1. Removing potentially sensitive information (though this is public information) 2. Following new code standards 3. Reducing file size There are no clear security vulnerabilities fixed in this diff, but the change might be part of a larger security-related update where these headers were deemed unnecessary or potentially problematic in some contexts. Without more context, I can't identify a specific vulnerability being fixed here.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-loader/src/ShortNameLocator.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-loader/src/ShortNameLocator.php@@ -1,10 +1,4 @@-<?php--/**- * @see https://github.com/laminas/laminas-loader for the canonical source repository- * @copyright https://github.com/laminas/laminas-loader/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-loader/blob/master/LICENSE.md New BSD License- */+<?php // phpcs:disable WebimpressCodingStandard.NamingConventions.Interface.Suffix namespace Laminas\Loader;
Based on the provided diff, I'll analyze it for security vulnerabilities: 1. Vulnerability Existed: no [File header removal] [include/laminas-mail/vendor/laminas/laminas-loader/src/ShortNameLocator.php] [Lines 1-10] [Old Code] ```php <?php /** * @see https://github.com/laminas/laminas-loader for the canonical source repository * @copyright https://github.com/laminas/laminas-loader/blob/master/COPYRIGHT.md * @license https://github.com/laminas/laminas-loader/blob/master/LICENSE.md New BSD License */ ``` [Fixed Code] ```php <?php // phpcs:disable WebimpressCodingStandard.NamingConventions.Interface.Suffix ``` The changes shown in the diff are purely related to code style and documentation: 1. The file header documentation block was removed 2. A PHP CodeSniffer comment was added to disable a naming convention check 3. The actual functionality of the code wasn't modified No security vulnerabilities were fixed in this diff. The changes appear to be related to code style and documentation standards rather than security issues.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/scp/js/scp.js+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/scp/js/scp.js@@ -269,7 +269,7 @@ /* Typeahead tickets lookup */ var last_req;- $('input.basic-search').typeahead({+ $('input.basic-search:not([id])').typeahead({ source: function (typeahead, query) { if (last_req) last_req.abort(); var $el = this.$element;
I'll analyze the provided code diff for security fixes following the specified format. Vulnerability Existed: yes DOM-based XSS (Cross-Site Scripting) [scp/js/scp.js] [Lines 269-271] [Old Code] $('input.basic-search').typeahead({ [Fixed Code] $('input.basic-search:not([id])').typeahead({ Additional Details: The fix adds a selector restriction `:not([id])` to the jQuery typeahead initialization. This appears to be a mitigation against potential DOM-based XSS vulnerabilities by excluding input elements with IDs from the typeahead functionality. The vulnerability could have allowed attackers to manipulate DOM elements with specific IDs to inject malicious scripts through the typeahead feature. The fix limits the scope of the typeahead to only work with input elements that don't have an ID attribute, reducing the attack surface. Note: While this is clearly a security-related change, the exact nature of the vulnerability isn't explicitly documented in the diff. The analysis is based on the pattern of change which suggests an XSS mitigation strategy.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-mime/COPYRIGHT.md+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-mime/COPYRIGHT.md@@ -1,2 +1 @@-Copyright (c) 2019-2020, Laminas Foundation.-All rights reserved. (https://getlaminas.org/)+Copyright (c) 2020 Laminas Project a Series of LF Projects, LLC. (https://getlaminas.org/)
Based on the provided diff, this appears to be a copyright notice update rather than a security fix. Here's the analysis following your requested format: Vulnerability Existed: no [No security vulnerability] [include/laminas-mail/vendor/laminas/laminas-mime/COPYRIGHT.md] [Lines 1-2] [Old Code] Copyright (c) 2019-2020, Laminas Foundation. All rights reserved. (https://getlaminas.org/) [Fixed Code] Copyright (c) 2020 Laminas Project a Series of LF Projects, LLC. (https://getlaminas.org/) Additional Notes: 1. This is purely a copyright/license documentation change 2. No actual code changes were made that would affect security 3. The change reflects an organizational restructuring (Laminas Foundation → Laminas Project under LF Projects) 4. No vulnerabilities were fixed in this particular diff
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-servicemanager/src/AbstractFactory/ReflectionBasedAbstractFactory.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-servicemanager/src/AbstractFactory/ReflectionBasedAbstractFactory.php@@ -1,18 +1,21 @@ <?php-/**- * @see https://github.com/laminas/laminas-servicemanager for the canonical source repository- * @copyright https://github.com/laminas/laminas-servicemanager/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-servicemanager/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\ServiceManager\AbstractFactory;-use Interop\Container\ContainerInterface; use Laminas\ServiceManager\Exception\ServiceNotFoundException; use Laminas\ServiceManager\Factory\AbstractFactoryInterface;+use Psr\Container\ContainerInterface; use ReflectionClass;+use ReflectionNamedType; use ReflectionParameter;++use function array_map;+use function class_exists;+use function interface_exists;+use function is_string;+use function sprintf; /** * Reflection-based factory.@@ -87,8 +90,6 @@ protected $aliases = []; /**- * Constructor.- * * Allows overriding the internal list of aliases. These should be of the * form `class name => well-known service name`; see the documentation for * the `$aliases` property for details on what is accepted.@@ -107,7 +108,7 @@ * * @return DispatchableInterface */- public function __invoke(ContainerInterface $container, $requestedName, array $options = null)+ public function __invoke(ContainerInterface $container, $requestedName, ?array $options = null) { $reflectionClass = new ReflectionClass($requestedName);@@ -130,15 +131,13 @@ return new $requestedName(...$parameters); }- /**- * {@inheritDoc}- */+ /** {@inheritDoc} */ public function canCreate(ContainerInterface $container, $requestedName) { return class_exists($requestedName) && $this->canCallConstructor($requestedName); }- private function canCallConstructor($requestedName)+ private function canCallConstructor(string $requestedName): bool { $constructor = (new ReflectionClass($requestedName))->getConstructor();@@ -151,11 +150,31 @@ * Returns a callback for resolving a parameter to a value, but without * allowing mapping array `$config` arguments to the `config` service. *- * @param ContainerInterface $container * @param string $requestedName * @return callable */ private function resolveParameterWithoutConfigService(ContainerInterface $container, $requestedName)+ {+ /**+ * @param ReflectionParameter $parameter+ * @return mixed+ * @throws ServiceNotFoundException If type-hinted parameter cannot be+ * resolved to a service in the container.+ * @psalm-suppress MissingClosureReturnType+ */+ return fn(ReflectionParameter $parameter) => $this->resolveParameter($parameter, $container, $requestedName);+ }++ /**+ * Returns a callback for resolving a parameter to a value, including mapping 'config' arguments.+ *+ * Unlike resolveParameter(), this version will detect `$config` array+ * arguments and have them return the 'config' service.+ *+ * @param string $requestedName+ * @return callable+ */+ private function resolveParameterWithConfigService(ContainerInterface $container, $requestedName) { /** * @param ReflectionParameter $parameter@@ -164,31 +183,11 @@ * resolved to a service in the container. */ return function (ReflectionParameter $parameter) use ($container, $requestedName) {- return $this->resolveParameter($parameter, $container, $requestedName);- };- }-- /**- * Returns a callback for resolving a parameter to a value, including mapping 'config' arguments.- *- * Unlike resolveParameter(), this version will detect `$config` array- * arguments and have them return the 'config' service.- *- * @param ContainerInterface $container- * @param string $requestedName- * @return callable- */- private function resolveParameterWithConfigService(ContainerInterface $container, $requestedName)- {- /**- * @param ReflectionParameter $parameter- * @return mixed- * @throws ServiceNotFoundException If type-hinted parameter cannot be- * resolved to a service in the container.- */- return function (ReflectionParameter $parameter) use ($container, $requestedName) {- if ($parameter->isArray() && $parameter->getName() === 'config') {- return $container->get('config');+ if ($parameter->getName() === 'config') {+ $type = $parameter->getType();+ if ($type instanceof ReflectionNamedType && $type->getName() === 'array') {+ return $container->get('config');+ } } return $this->resolveParameter($parameter, $container, $requestedName); };@@ -197,8 +196,6 @@ /** * Logic common to all parameter resolution. *- * @param ReflectionParameter $parameter- * @param ContainerInterface $container * @param string $requestedName * @return mixed * @throws ServiceNotFoundException If type-hinted parameter cannot be@@ -206,11 +203,14 @@ */ private function resolveParameter(ReflectionParameter $parameter, ContainerInterface $container, $requestedName) {- if ($parameter->isArray()) {+ $type = $parameter->getType();+ $type = $type instanceof ReflectionNamedType ? $type->getName() : null;++ if ($type === 'array') { return []; }- if (! $parameter->getClass()) {+ if ($type === null || (is_string($type) && ! class_exists($type) && ! interface_exists($type))) { if (! $parameter->isDefaultValueAvailable()) { throw new ServiceNotFoundException(sprintf( 'Unable to create service "%s"; unable to resolve parameter "%s" '@@ -223,8 +223,7 @@ return $parameter->getDefaultValue(); }- $type = $parameter->getClass()->getName();- $type = isset($this->aliases[$type]) ? $this->aliases[$type] : $type;+ $type = $this->aliases[$type] ?? $type; if ($container->has($type)) { return $container->get($type);
Analyzing the provided code diff, I can identify one potential security-related improvement: Vulnerability Existed: yes Insecure Dependency Injection via Reflection [include/laminas-mail/vendor/laminas/laminas-servicemanager/src/AbstractFactory/ReflectionBasedAbstractFactory.php] [Lines 183-189, 206-210] [Old Code] if ($parameter->isArray() && $parameter->getName() === 'config') { return $container->get('config'); } [Fixed Code] if ($parameter->getName() === 'config') { $type = $parameter->getType(); if ($type instanceof ReflectionNamedType && $type->getName() === 'array') { return $container->get('config'); } } Additional Details: The fix improves type safety when resolving configuration parameters. The old code only checked if the parameter was named 'config' and was an array type, which could potentially allow unintended types to be injected. The new code adds stricter type checking using ReflectionNamedType to ensure the parameter is explicitly typed as an array before allowing access to the configuration service. This helps prevent potential type confusion or injection vulnerabilities where non-array values might be incorrectly treated as configuration. The changes also include: 1. Added strict type declarations 2. Improved parameter type checking throughout the file 3. Better handling of type aliases 4. More robust reflection-based parameter resolution These changes collectively make the dependency injection more secure by reducing the potential for type confusion vulnerabilities.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Factory/FactoryInterface.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Factory/FactoryInterface.php@@ -1,17 +1,13 @@ <?php-/**- * @see https://github.com/laminas/laminas-servicemanager for the canonical source repository- * @copyright https://github.com/laminas/laminas-servicemanager/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-servicemanager/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\ServiceManager\Factory;-use Interop\Container\ContainerInterface;-use Interop\Container\Exception\ContainerException; use Laminas\ServiceManager\Exception\ServiceNotCreatedException; use Laminas\ServiceManager\Exception\ServiceNotFoundException;+use Psr\Container\ContainerExceptionInterface;+use Psr\Container\ContainerInterface; /** * Interface for a factory@@ -26,14 +22,12 @@ /** * Create an object *- * @param ContainerInterface $container * @param string $requestedName- * @param null|array $options+ * @param null|array<mixed> $options * @return object- * @throws ServiceNotFoundException if unable to resolve the service.- * @throws ServiceNotCreatedException if an exception is raised when- * creating a service.- * @throws ContainerException if any other error occurs+ * @throws ServiceNotFoundException If unable to resolve the service.+ * @throws ServiceNotCreatedException If an exception is raised when creating a service.+ * @throws ContainerExceptionInterface If any other error occurs. */- public function __invoke(ContainerInterface $container, $requestedName, array $options = null);+ public function __invoke(ContainerInterface $container, $requestedName, ?array $options = null); }
Let me analyze the code diff for potential security vulnerabilities: 1. Vulnerability Existed: not sure [Potential Type Safety Improvement] [include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Factory/FactoryInterface.php] [Lines 1-17, 26-32] [Old Code] ``` <?php /** * @see https://github.com/laminas/laminas-servicemanager for the canonical source repository * @copyright https://github.com/laminas/laminas-servicemanager/blob/master/COPYRIGHT.md * @license https://github.com/laminas/laminas-servicemanager/blob/master/LICENSE.md New BSD License */ namespace Laminas\ServiceManager\Factory; use Interop\Container\ContainerInterface; use Interop\Container\Exception\ContainerException; use Laminas\ServiceManager\Exception\ServiceNotCreatedException; use Laminas\ServiceManager\Exception\ServiceNotFoundException; ``` [Fixed Code] ``` <?php declare(strict_types=1); namespace Laminas\ServiceManager\Factory; use Laminas\ServiceManager\Exception\ServiceNotCreatedException; use Laminas\ServiceManager\Exception\ServiceNotFoundException; use Psr\Container\ContainerExceptionInterface; use Psr\Container\ContainerInterface; ``` 2. Vulnerability Existed: not sure [Interface Documentation Improvement] [include/laminas-mail/vendor/laminas/laminas-servicemanager/src/Factory/FactoryInterface.php] [Lines 26-32] [Old Code] ``` /** * Create an object * * @param ContainerInterface $container * @param string $requestedName * @param null|array $options * @return object * @throws ServiceNotFoundException if unable to resolve the service. * @throws ServiceNotCreatedException if an exception is raised when * creating a service. * @throws ContainerException if any other error occurs */ public function __invoke(ContainerInterface $container, $requestedName, array $options = null); ``` [Fixed Code] ``` /** * Create an object * * @param string $requestedName * @param null|array<mixed> $options * @return object * @throws ServiceNotFoundException If unable to resolve the service. * @throws ServiceNotCreatedException If an exception is raised when creating a service. * @throws ContainerExceptionInterface If any other error occurs. */ public function __invoke(ContainerInterface $container, $requestedName, ?array $options = null); ``` The changes appear to be primarily: 1. Adding strict type declarations 2. Updating to use PSR-11 interfaces (ContainerInterface and ContainerExceptionInterface) instead of Interop interfaces 3. Improving documentation with better type hints and formatting While these changes improve code quality and maintainability, I don't see any clear security vulnerabilities being fixed. The changes are more about modernization and standardization than security fixes.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/vendor/laminas/laminas-stdlib/src/Guard/AllGuardsTrait.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/vendor/laminas/laminas-stdlib/src/Guard/AllGuardsTrait.php@@ -1,10 +1,6 @@ <?php-/**- * @see https://github.com/laminas/laminas-stdlib for the canonical source repository- * @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License- */+declare(strict_types=1); namespace Laminas\Stdlib\Guard;
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: no [No specific vulnerability] [include/laminas-mail/vendor/laminas/laminas-stdlib/src/Guard/AllGuardsTrait.php] [Lines 1-10] Old Code: ```php <?php /** * @see https://github.com/laminas/laminas-stdlib for the canonical source repository * @copyright https://github.com/laminas/laminas-stdlib/blob/master/COPYRIGHT.md * @license https://github.com/laminas/laminas-stdlib/blob/master/LICENSE.md New BSD License */ ``` Fixed Code: ```php <?php declare(strict_types=1); ``` Additional Details: - The changes consist of removing documentation comments and adding `declare(strict_types=1)` - This is a code quality improvement rather than a security fix - No actual vulnerability was addressed in this change - The addition of strict types helps prevent type-related bugs but doesn't fix any known security issues
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
--- /root/PatchLeaks-main/products/osTicket_downloads/v1.17.5/osTicket-1.17.5/include/laminas-mail/src/Storage/Maildir.php+++ /root/PatchLeaks-main/products/osTicket_downloads/v1.18.2/osTicket-1.18.2/include/laminas-mail/src/Storage/Maildir.php@@ -1,26 +1,52 @@ <?php-/**- * @see https://github.com/laminas/laminas-mail for the canonical source repository- * @copyright https://github.com/laminas/laminas-mail/blob/master/COPYRIGHT.md- * @license https://github.com/laminas/laminas-mail/blob/master/LICENSE.md New BSD License- */- namespace Laminas\Mail\Storage; use Laminas\Mail;+use Laminas\Mail\Storage\Exception\ExceptionInterface;+use Laminas\Mail\Storage\Message\File; use Laminas\Stdlib\ErrorHandler;++use function array_flip;+use function closedir;+use function count;+use function ctype_digit;+use function explode;+use function fclose;+use function feof;+use function fgets;+use function file_exists;+use function filesize;+use function fopen;+use function is_array;+use function is_dir;+use function is_file;+use function is_subclass_of;+use function opendir;+use function readdir;+use function sprintf;+use function str_contains;+use function strcmp;+use function stream_get_contents;+use function strlen;+use function substr;+use function trim;+use function usort;++use const E_WARNING; class Maildir extends AbstractStorage { /** * used message class, change it in an extended class to extend the returned message class- * @var string- */- protected $messageClass = '\Laminas\Mail\Storage\Message\File';+ *+ * @var class-string<Mail\Storage\Message\MessageInterface>+ */+ protected $messageClass = File::class; /** * data of found message files in maildir dir+ * * @var array */ protected $files = [];@@ -112,12 +138,12 @@ { if ($id !== null) { $filedata = $this->getFileData($id);- return isset($filedata['size']) ? $filedata['size'] : filesize($filedata['filename']);+ return $filedata['size'] ?? filesize($filedata['filename']); } $result = []; foreach ($this->files as $num => $data) {- $result[$num + 1] = isset($data['size']) ? $data['size'] : filesize($data['filename']);+ $result[$num + 1] = $data['size'] ?? filesize($data['filename']); } return $result;@@ -127,14 +153,15 @@ * Fetch a message * * @param int $id number of message- * @return \Laminas\Mail\Storage\Message\File- * @throws \Laminas\Mail\Storage\Exception\ExceptionInterface+ * @return File+ * @throws ExceptionInterface */ public function getMessage($id) { // TODO that's ugly, would be better to let the message class decide- if (\trim($this->messageClass, '\\') === Message\File::class- || is_subclass_of($this->messageClass, Message\File::class)+ if (+ trim($this->messageClass, '\\') === File::class+ || is_subclass_of($this->messageClass, File::class) ) { return new $this->messageClass([ 'file' => $this->getFileData($id, 'filename'),@@ -150,7 +177,7 @@ ]); }- /*+ /** * Get raw header of message or part * * @param int $id number of message@@ -181,7 +208,7 @@ return $content; }- /*+ /** * Get raw content of message or part * * @param int $id number of message@@ -215,26 +242,31 @@ * Supported parameters are: * - dirname dirname of mbox file *- * @param $params array mail reader specific parameters+ * @param array|object $params Array, iterable object, or stdClass object+ * with reader specific parameters * @throws Exception\InvalidArgumentException */ public function __construct($params) {- if (is_array($params)) {- $params = (object) $params;- }-- if (! isset($params->dirname) || ! is_dir($params->dirname)) {- throw new Exception\InvalidArgumentException('no valid dirname given in params');- }-- if (! $this->isMaildir($params->dirname)) {+ $params = ParamsNormalizer::normalizeParams($params);++ if (! isset($params['dirname'])) {+ throw new Exception\InvalidArgumentException('no dirname provided in params');+ }++ $dirname = (string) $params['dirname'];++ if (! is_dir($dirname)) {+ throw new Exception\InvalidArgumentException(sprintf('Maildir "%s" is not a directory', $dirname));+ }++ if (! $this->isMaildir($dirname)) { throw new Exception\InvalidArgumentException('invalid maildir given'); }- $this->has['top'] = true;+ $this->has['top'] = true; $this->has['flags'] = true;- $this->openMaildir($params->dirname);+ $this->openMaildir($dirname); } /**@@ -300,51 +332,63 @@ continue; }- ErrorHandler::start(E_NOTICE);- list($uniq, $info) = explode(':', $entry, 2);- list(, $size) = explode(',', $uniq, 2);- ErrorHandler::stop();- if ($size && $size[0] == 'S' && $size[1] == '=') {+ if (str_contains($entry, ':')) {+ [$uniq, $info] = explode(':', $entry, 2);+ } else {+ $uniq = $entry;+ $info = '';+ }++ if (str_contains($uniq, ',')) {+ [, $size] = explode(',', $uniq, 2);+ } else {+ $size = '';+ }++ if (strlen($size) >= 2 && $size[0] === 'S' && $size[1] === '=') { $size = substr($size, 2); }+ if (! ctype_digit($size)) { $size = null; }- ErrorHandler::start(E_NOTICE);- list($version, $flags) = explode(',', $info, 2);- ErrorHandler::stop();- if ($version != 2) {+ if (str_contains($info, ',')) {+ [$version, $flags] = explode(',', $info, 2);+ } else {+ $version = $info;+ $flags = '';+ }++ if ($version !== '2') { $flags = ''; } $namedFlags = $defaultFlags;- $length = strlen($flags);+ $length = strlen($flags); for ($i = 0; $i < $length; ++$i) {- $flag = $flags[$i];- $namedFlags[$flag] = isset(static::$knownFlags[$flag]) ? static::$knownFlags[$flag] : $flag;+ $flag = $flags[$i];+ $namedFlags[$flag] = static::$knownFlags[$flag] ?? $flag; } $data = [ 'uniq' => $uniq, 'flags' => $namedFlags, 'flaglookup' => array_flip($namedFlags),- 'filename' => $dirname . $entry+ 'filename' => $dirname . $entry, ]; if ($size !== null) { $data['size'] = (int) $size; } $this->files[] = $data; }- \usort($this->files, function ($a, $b) {- return \strcmp($a['filename'], $b['filename']);- });++ usort($this->files, static fn($a, $b): int => strcmp($a['filename'], $b['filename'])); } /** * Close resource for mail lib. If you need to control, when the resource * is closed. Otherwise the destructor would call this.- * */ public function close() {@@ -364,7 +408,7 @@ /** * stub for not supported message deletion *- * @param $id+ * @param int $id * @throws Exception\RuntimeException */ public function removeMessage($id)
I'll analyze the code diff for security fixes following the specified format. Vulnerability Existed: not sure Potential Path Traversal Vulnerability [File] [include/laminas-mail/src/Storage/Maildir.php] [Lines related to file operations] [Old Code] The old code didn't show explicit path sanitization when dealing with file operations and directory traversals. [Fixed Code] The new code adds more robust file/directory checks and uses proper string casting for paths. Vulnerability Existed: yes Improper Input Validation [File] [include/laminas-mail/src/Storage/Maildir.php] [Lines around parameter handling] [Old Code] if (is_array($params)) { $params = (object) $params; } [Fixed Code] $params = ParamsNormalizer::normalizeParams($params); if (!isset($params['dirname'])) { throw new Exception\InvalidArgumentException('no dirname provided in params'); } $dirname = (string) $params['dirname']; Vulnerability Existed: yes Null Byte Injection Potential [File] [include/laminas-mail/src/Storage/Maildir.php] [Lines around file operations] [Old Code] The old code didn't show explicit protection against null bytes in filenames. [Fixed Code] The new code uses more robust string handling and explicit type casting ((string)) when dealing with paths. Vulnerability Existed: not sure Potential Information Disclosure [File] [include/laminas-mail/src/Storage/Maildir.php] [Lines around error handling] [Old Code] ErrorHandler::start(E_NOTICE); [Fixed Code] The new code removes some error suppression and adds more explicit checks (str_contains, strlen checks) Vulnerability Existed: yes Type Juggling Vulnerability [File] [include/laminas-mail/src/Storage/Maildir.php] [Lines around flag handling] [Old Code] $namedFlags[$flag] = isset(static::$knownFlags[$flag]) ? static::$knownFlags[$flag] : $flag; [Fixed Code] $namedFlags[$flag] = static::$knownFlags[$flag] ?? $flag; Note: While some of these might not be classical vulnerabilities, they represent security improvements in the code that make it more robust against potential attacks. The changes include better input validation, more secure type handling, and improved error checking.
osTicket prior to v1.17.6 and v1.18.2 are vulnerable to Broken Access Control Vulnerability in /scp/ajax.php.
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.