cbcvebase.
CVE-2021-36097
published 2021-10-18

CVE-2021-36097: Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw"…

PriorityP420medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.51%
39.3th percentile
Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.

Affected

2 ranges
VendorProductVersion rangeFixed in
otrsotrs8.0.0 – 8.0.16
otrs_agotrs8.0.x – 8.0.16

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.