CVE-2023-1250
published 2023-03-20CVE-2023-1250: Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When…
PriorityP340high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.29%
21.1th percentile
Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names
This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| otrs | otrs | 6.0.1 – 6.0.34 | — |
| otrs | otrs | >= 7.0.0 < 7.0.42 | 7.0.42 |
| otrs | otrs | >= 8.0.0 < 8.0.31 | 8.0.31 |
| otrs_ag | community_edition | 6.0.1 – 6.0.34 | — |
| otrs_ag | otrs | >= 7.0.x < 7.0.42 | 7.0.42 |
| otrs_ag | otrs | >= 8.0.x < 8.0.31 | 8.0.31 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jwm9-wmrq-4g6h: Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code
ghsa_unreviewed·2023-03-20
CVE-2023-1250 [HIGH] CWE-94 GHSA-jwm9-wmrq-4g6h: Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code
Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
OSV
CVE-2023-1250: Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code
osv·2023-03-20·CVSS 7.8
CVE-2023-1250 [HIGH] CVE-2023-1250: Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code
Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.
Red Hat
postgresql: PostgreSQL row security below e.g. subqueries disregards user ID changes
vendor_redhat·2024-11-14·CVSS 7.5
CVE-2024-10976 [HIGH] CWE-1250 postgresql: PostgreSQL row security below e.g. subqueries disregards user ID changes
postgresql: PostgreSQL row security below e.g. subqueries disregards user ID changes
Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a commo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-20
Published