osTicket 1.14.2 - SSRF - exploit.company

vendor:

osTicket

by:

Talat Mehmood

9.8

CVSS

CRITICAL

Server Side Request Forgery (SSRF)

922

CWE

Product Name: osTicket

Affected Version From: <1.14.3

Affected Version To: <1.14.3

Patch Exists: YES

Related CWE: CVE-2020-24881

CPE: osticket

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2021

osTicket 1.14.2 – SSRF

osTicket before 1.14.3 suffers from Server Side Request Forgery (SSRF). HTML page is rendered on backend server on calling 'Print' ticket functionality. An attacker can create a new ticket, select 'HTML Format' format, add an image tag with malicious payload in src attribute and print the ticket. This will result in a hit on the malicious website from the internal server on which osTicket is deployed.

Mitigation:

Upgrade to osTicket version 1.14.3 or later.

Source

Exploit-DB raw data:

# Exploit Title: osTicket 1.14.2 - SSRF
# Date: 18-01-2021
# Exploit Author: Talat Mehmood
# Vendor Homepage: https://osticket.com/
# Software Link: https://osticket.com/download/
# Version: <1.14.3 
# Tested on: Linux
# CVE : CVE-2020-24881

osTicket before 1.14.3 suffers from Server Side Request Forgery [SSRF]. HTML page is rendered on backend server on calling "Print" ticket functionality.

Below are the steps to reproduce this vulnerability:

1. Create a new ticket
2. Select "HTML Format" format.
3. Add an image tag with your payload in src attribute i.e. "<img src=https://mymaliciouswebsite.com">
4. After submitting this comment, print this ticket.
5. You'll receive a hit on your malicious website from the internal server on which osTicket is deployed.

For more details, read my following blog:

https://blackbatsec.medium.com/cve-2020-24881-server-side-request-forgery-in-osticket-eea175e147f0
https://nvd.nist.gov/vuln/detail/CVE-2020-24881