cbcvebase.
CVE-2017-15580
published 2017-10-23

CVE-2017-15580: osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. However, it does not properly validate the uploaded file's contents…

PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.98%
96.5th percentile
osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. However, it does not properly validate the uploaded file's contents and thus accepts any type of file, such as with a tickets.php request that is modified with a .html extension changed to a .exe extension. An attacker can leverage this vulnerability to upload arbitrary files on the web application having malicious content.

Affected

1 ranges
VendorProductVersion rangeFixed in
osticketosticket

Detection & IOCsextracted from sources · hover to see the quote

urltickets.php?id=#reply
filenamereverse.exe
  • Monitor file upload requests to tickets.php where the file extension has been changed from .html to .exe (or other executable types) via intercepted/modified HTTP requests — indicative of client-side bypass.
  • Alert on POST requests to tickets.php containing a reply action where the uploaded file's declared Content-Type is text/html but the filename extension is non-HTML (e.g., .exe, .php, .jsp).
  • Watch for outbound reverse TCP shell connections (e.g., on port 4444) originating from the web server process after a file upload to osTicket, consistent with payload execution.
  • ·The bypass relies on client-side validation only — the server accepts any file type regardless of content. Detection must occur at the server/network layer, not the client.
  • ·The vulnerability is specific to osTicket version 1.10.1; confirm version before applying detections to avoid false positives on patched instances.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.