CVE-2020-1776 — Insufficient Session Expiration in Otrs

CWE-613 — Insufficient Session Expiration5 documents5 sources

Severity

4.3MEDIUMNVD

CNA3.5

EPSS

0.3%

top 44.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs Otrs AG Community Edition Otrs AG Otrs

Timeline

PublishedJul 20

Latest updateMay 24

Description

When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28 and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5otrs_ag/community_edition6.0.x — 6.0.28

▶NVDotrs/otrs7.0.0 — 7.0.19+2

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.18+1

Patches

Patch: otrs.com ↗Patch: otrs.com ↗

🔴Vulnerability Details

GHSA

GHSA-vcrm-8v3j-v6f3: When an agent user is renamed or set to invalid the session belonging to the user is keept active↗2022-05-24

▶

CVEList

Invalidating or changing user does not invalidate session↗2020-07-20

▶

OSV

CVE-2020-1776: When an agent user is renamed or set to invalid the session belonging to the user is keept active↗2020-07-20

▶

📋Vendor Advisories

Debian

CVE-2020-1776: otrs2 - When an agent user is renamed or set to invalid the session belonging to the use...↗2020

▶