CVE-2021-36091 — Sensitive Information Exposure in AG Community Edition

CWE-200 — Sensitive Information Exposure CWE-863 — Incorrect Authorization5 documents5 sources

Severity

4.3MEDIUMNVD

CNA3.5

EPSS

0.1%

top 67.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Community Edition Otrs AG Otrs Otrs

Timeline

PublishedJul 26

Latest updateMay 24

Description

Agents are able to list appointments in the calendars without required permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5otrs_ag/community_edition6.0.1 — 6.0.x*

▶NVDotrs/otrs6.0.0 — 6.0.32+1

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.27

🔴Vulnerability Details

GHSA

GHSA-mxpc-p9xr-9j86: Agents are able to list appointments in the calendars without required permissions↗2022-05-24

▶

CVEList

Unautorized access to the calendar appointments↗2021-07-26

▶

OSV

CVE-2021-36091: Agents are able to list appointments in the calendars without required permissions↗2021-07-26

▶

📋Vendor Advisories

Debian

CVE-2021-36091: otrs2 - Agents are able to list appointments in the calendars without required permissio...↗2021

▶