CVE-2020-1773
published 2020-03-27CVE-2020-1773: An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able…
PriorityP344high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
1.50%
71.1th percentile
An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | otrs2 | < otrs2 6.0.27-1 (bullseye) | otrs2 6.0.27-1 (bullseye) |
| otrs | otrs | 5.0.0 – 5.0.41 | — |
| otrs | otrs | 6.0.0 – 6.0.26 | — |
| otrs | otrs | 7.0.0 – 7.0.15 | — |
| otrs_ag | community_edition | — | — |
| otrs_ag | community_edition | — | — |
| otrs_ag | otrs | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
osv8.1HIGH
vendor_debian7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-63m6-fqgg-rv45: It's possible that an authenticated user guess other session IDs based on its own
ghsa_unreviewed·2022-05-24
CVE-2020-1773 [MEDIUM] CWE-331 GHSA-63m6-fqgg-rv45: It's possible that an authenticated user guess other session IDs based on its own
It's possible that an authenticated user guess other session IDs based on its own. Also it's possible to guess a password reset token or an automated password generated. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.
OSV
CVE-2020-1773: An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may
osv·2020-03-27·CVSS 8.1
CVE-2020-1773 [HIGH] CVE-2020-1773: An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may
An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.
Debian
CVE-2020-1773: otrs2 - An attacker with the ability to generate session IDs or password reset tokens, e...
vendor_debian·2020·CVSS 7.3
CVE-2020-1773 [HIGH] CVE-2020-1773: otrs2 - An attacker with the ability to generate session IDs or password reset tokens, e...
An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.
Scope: local
bullseye: resolved (fixed in 6.0.27-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlhttps://lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlhttps://otrs.com/release-notes/otrs-security-advisory-2020-10/http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlhttps://lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlhttps://otrs.com/release-notes/otrs-security-advisory-2020-10/
2020-03-27
Published