CVE-2021-21443
published 2021-07-26CVE-2021-21443: Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition…
PriorityP420medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.85%
53.6th percentile
Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | otrs2 | < otrs2 6.0.32-6 (bullseye) | otrs2 6.0.32-6 (bullseye) |
| debian | znuny | < otrs2 6.0.32-6 (bullseye) | otrs2 6.0.32-6 (bullseye) |
| otrs | otrs | 6.0.0 – 6.0.32 | — |
| otrs | otrs | 7.0.0 – 7.0.27 | — |
| otrs_ag | community_edition | >= 6.0.1 < 6.0.x* | 6.0.x* |
| otrs_ag | otrs | >= 7.0.x < 7.0.27 | 7.0.27 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv4.3MEDIUM
vendor_debian3.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8cr8-7h2h-c8f7: Agents are able to list customer user emails without required permissions in the bulk action screen
ghsa_unreviewed·2022-05-24
CVE-2021-21443 [MEDIUM] CWE-200 GHSA-8cr8-7h2h-c8f7: Agents are able to list customer user emails without required permissions in the bulk action screen
Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
OSV
CVE-2021-21443: Agents are able to list customer user emails without required permissions in the bulk action screen
osv·2021-07-26·CVSS 4.3
CVE-2021-21443 [MEDIUM] CVE-2021-21443: Agents are able to list customer user emails without required permissions in the bulk action screen
Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
Debian
CVE-2021-21443: otrs2 - Agents are able to list customer user emails without required permissions in the...
vendor_debian·2021·CVSS 3.5
CVE-2021-21443 [LOW] CVE-2021-21443: otrs2 - Agents are able to list customer user emails without required permissions in the...
Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.
Scope: local
bullseye: resolved (fixed in 6.0.32-6)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-07-26
Published