CVE-2020-1765 — External Control of Assumed-Immutable Web Parameter in Otrs

CWE-472 — External Control of Assumed-Immutable Web Parameter6 documents6 sources

Severity

5.3MEDIUMNVD

CNA3.5

EPSS

0.6%

top 29.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs Otrs AG Community Edition Otrs AG Otrs +3 more

Timeline

PublishedJan 10

Latest updateMay 24

Description

An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This issue affects: ((OTRS)) Community Edition 5.0.x version 5.0.39 and prior versions; 6.0.x version 6.0.24 and prior versions. OTRS 7.0.x version 7.0.13 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶CVEListV5otrs_ag/community_edition5.0.x version 5.0.39 and prior versions, 6.0.x version 6.0.24 and prior versions+1

▶NVDotrs/otrs5.0.0 — 5.0.39+2

▶CVEListV5otrs_ag/otrs7.0.x version 7.0.13 and prior versions

▶NVDopensuse/leap15.1, 15.2+1

▶NVDopensuse/backports_sle15.0

Also affects: Debian Linux 8.0

Patches

Patch: otrs.com ↗Patch: otrs.com ↗

🔴Vulnerability Details

GHSA

GHSA-rfv4-xfv7-5r3p: An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicket↗2022-05-24

▶

OSV

CVE-2020-1765: An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicket↗2020-01-10

▶

CVEList

Spoofing of From field in several screens↗2020-01-10

▶

📋Vendor Advisories

Debian

CVE-2020-1765: otrs2 - An improper control of parameters allows the spoofing of the from fields of the ...↗2020

▶

💬Community

Bugzilla

CVE-2019-8696 cups: stack-buffer-overflow in libcups's asn1_get_packed function↗2019-08-07

▶