CVE-2021-21438Incorrect Default Permissions in FAQ

CWE-264CWE-276Incorrect Default Permissions3 documents3 sources
Severity
4.3MEDIUMNVD
CNA3.5
EPSS
0.2%
top 61.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Otrs FAQOtrsOtrs AG FAQ+1 more
Timeline
PublishedMar 22
Latest updateMay 24

Description

Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDotrs/faq6.0.06.0.29
NVDotrs/otrs7.0.07.0.24
CVEListV5otrs_ag/faq6.0.x6.0.29
CVEListV5otrs_ag/otrsunspecified7.0.24

🔴Vulnerability Details

2
GHSA
GHSA-vxww-8wxj-j946: Agents are able to see linked FAQ articles without permissions (defined in FAQ Category)2022-05-24
CVEList
FAQ articles are shown to users without permission2021-03-22
CVE-2021-21438 — Incorrect Default Permissions in FAQ | cvebase