cbcvebase.
CVE-2020-24881
published 2020-11-02

CVE-2020-24881: SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
73.27%
99.4th percentile
SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.

Affected

1 ranges
VendorProductVersion rangeFixed in
osticketosticket< 1.14.31.14.3

Detection & IOCsextracted from sources · hover to see the quote

url/open.php
url/ajax.php/form/help-topic/{{option_value}}
url/tickets.php?a=print&id={{ticketid}}
  • Detect SSRF exploitation attempt: monitor for POST requests to /open.php with multipart/form-data containing a crafted 'message' field, followed by a GET to /tickets.php?a=print — the print action triggers the server-side request to attacker-controlled URLs embedded in the ticket message.
  • Monitor for outbound DNS/HTTP requests from the osTicket server process triggered by the print ticket action — indicative of SSRF payload delivery via the ticket message body.
  • Alert on requests to /tickets.php with query parameter a=print, especially when the originating ticket was recently created via /open.php with an external URL in the message field.
  • ·Vulnerability affects osTicket versions before 1.14.3 only; upgrade to 1.14.3+ to remediate.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.