CVE-2017-15580

Name of the Vulnerable Software and Affected Versions osTicket version 1.10.1

Description The issue is related to the upload functionality in osTicket, which fails to properly validate the contents of uploaded files. This allows an attacker to upload arbitrary files, including those with malicious content, by modifying the file extension. For example, a tickets.php request can be modified to upload a file with a .exe extension, potentially allowing the upload of malicious files. The vulnerability can be exploited by a remote attacker to upload harmful files to the web application.

Recommendations For osTicket version 1.10.1, consider disabling the file upload functionality until a proper fix is available, or restrict the types of files that can be uploaded to prevent malicious content from being uploaded. As a temporary workaround, restrict access to the tickets.php script to minimize the risk of exploitation.