CVE-2020-1772
published 2020-03-27CVE-2020-1772: It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which…
high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | otrs2 | < otrs2 6.0.27-1 (bullseye) | otrs2 6.0.27-1 (bullseye) |
| opensuse | backports_sle | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| otrs | otrs | 5.0.0 – 5.0.41 | — |
| otrs | otrs | 6.0.0 – 6.0.26 | — |
| otrs | otrs | 7.0.0 – 7.0.15 | — |
| otrs_ag | community_edition | 5.0.x – 5.0.41 | — |
| otrs_ag | community_edition | 6.0.x – 6.0.26 | — |
| otrs_ag | otrs | 7.0.x – 7.0.15 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH